Multiple vulnerabilities in OpenEMR

Published: 2018-08-08 16:23:42
Severity High
Patch available YES
Number of vulnerabilities 21
CVE ID N/A
CVSSv3 6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
6.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
4.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
7.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
3.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
5.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L/E:P/RL:O/RC:C]
CWE ID CWE-287
CWE-89
CWE-200
CWE-434
CWE-20
CWE-352
CWE-264
CWE-125
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #7 is available.
Public exploit code for vulnerability #8 is available.
Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #10 is available.
Public exploit code for vulnerability #11 is available.
Public exploit code for vulnerability #12 is available.
Public exploit code for vulnerability #13 is available.
Public exploit code for vulnerability #14 is available.
Public exploit code for vulnerability #15 is available.
Public exploit code for vulnerability #16 is available.
Public exploit code for vulnerability #17 is available.
Public exploit code for vulnerability #18 is available.
Public exploit code for vulnerability #19 is available.
Public exploit code for vulnerability #20 is available.
Public exploit code for vulnerability #21 is available.
Vulnerable software OpenEMR
Vulnerable software versions OpenEMR 5.0.1.3
Vendor URL OpenEMR

Security Advisory

1) Authentication bypass

Description

The vulnerability allows a remote attacker to bypass authentication on the target system.


The weakness exists due to improper authentication. A remote attacker can navigate to the registration page, modify the requested url to access the desired page and bypass the Patient Portal Login.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

2) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_appt_popup_user.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

3) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_appt_popup_user.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

4) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through Anything_simple.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

5) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through forms_admin.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

6) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through search_code.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

7) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_drug_popup.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

8) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_immunization_popup.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

9) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through find_code_popup.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

10) SQL-injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed through de_identification_screen2.php. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

11) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the application does not adequately protect sensitive information from parties that would not normally have access to it. A remote attacker can gather information which can be utilized later in the attack cycle.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

12) Unrestricted upload of file with dangerous type

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary commands.

The vulnerability exists due to unrestricted file upload in super/manage_site_files.php when insufficient input validation. A remote attacker can upload a PHP web shell to execute system commands with elevated privileges.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

13) Improper input validation

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in OpenEMR’s sl_eob_search.php file due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

14) Improper input validation

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in fax_dispatch.php due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

15) Improper input validation

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in faxq.php due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

16) Improper input validation

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in daemon_frame.php due to improper sanitization of user-supplied values. A remote attacker can submit specially crafted input and execute arbitrary code with elevated privileges.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

17) Cross-site request forgery

Description

The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.

The weakness exists in uper/manage_site_files.php due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

18) Privilege escalation

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper access controls. A remote attacker can visit http://host/ /ippf_upgrade.php. /ippf_upgrade.php, run an IPPF upgrade on a remote server. Upon visiting ippf_upgrade.php a user is prompted with a button that when pressed would begin to convert the databases to UTF8 (provided they aren’t encoded already).

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

19) Arbitrary file write

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in import_template.php due to arbitrary file upload. A remote attacker can make a crafted request to upload any type of file, including php, to the system and execute arbitrary code with elevated privileges.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

20) Out-of-bounds read

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in import_template.php due to lack of sanitization before the user input from ​docid​ is passed to the file_get_contents() function. A remote attacker can make a crafted request to view files on the system outside the web directory, including /etc/passwd.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

21) Improper input validation

Description

The vulnerability allows a remote authenticated attacker to delete arbitrary files on the target system.

The vulnerability exists in import_template.php due to lack of sanitization of user input from the ​docid​ parameter before being passed to the unlink() function. A remote authenticated attacker can delete arbitrary files on the system.

Remediation

Update to version 5.0.1.4.

External links

https://insecurity.sh/assets/reports/openemr.pdf

Back to List