bug: OpenEMR logs sensitive field - payment reference number

[jubittajohn]

Describe the bug

ASVS: 7.1.1 (Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form).
CWE: 532 (Insertion of Sensitive Information into Log File).

The OpenEMR logs check number(sensitive payment detail) when a new "Batch Payment Entry" is made, under the Category ="other" and Event ="other-insert".

To Reproduce

Steps to reproduce the behavior:

1. Login to OpenEMR using the admin credentials
2. Navigate to Fees → Batch payments to make a “Batch Payment Entry”
3. Put the “Date” as the previous date, “Post to date” as current date, “Payment Method” as Check Payment, “Check number” as “123456789”, “Payment Amount” as 100.
4. Use the default default values for “Paying entity” and “Payment category”
5. Put the “Payment From” as a user in the system, and click on the “Save changes” button.
6. Click “OK” on the confirmation and allocation pop-ups.
7. Navigate to Admin → System → Logs and click on Submit to view the logs.
8. Check for the log under Category = “other” and Event = “other-insert”.

Expected behavior

The “check number” and other payment details should not be displayed(or masked) in the log

Client configuration

• Browser: Version 122.0.6261.129 (Official Build) (arm64)
• OpenEMR version: v7.0.2
• Operating system: MacOS