Multiple vulnerabilities in OpenEMR OpenEMR
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2018-15152 CVE-2018-15153 CVE-2018-15154 CVE-2018-15155 CVE-2018-15156 CVE-2018-15139 CVE-2018-15140 CVE-2018-15141 CVE-2018-15142 CVE-2018-15143 CVE-2018-15144 CVE-2018-15145 |
| CWE-ID | CWE-287 CWE-78 CWE-434 CWE-22 CWE-89 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. |
| Vulnerable software Subscribe |
OpenEMR Client/Desktop applications / Other client software |
| Vendor | OpenEMR |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU31233
Risk: High
CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-15152
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1758/files
http://insecurity.sh/reports/openemr.pdf
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) OS Command Injection
EUVDB-ID: #VU31234
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15153
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1757
http://insecurity.sh/reports/openemr.pdf
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.exploit-db.com/exploits/45161/
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) OS Command Injection
EUVDB-ID: #VU31235
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15154
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the "print_command" global variable in interface/super/edit_globals.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1757
http://insecurity.sh/reports/openemr.pdf
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) OS Command Injection
EUVDB-ID: #VU31236
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15155
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1757
http://insecurity.sh/reports/openemr.pdf
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) OS Command Injection
EUVDB-ID: #VU31237
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15156
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1757
http://insecurity.sh/reports/openemr.pdf
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Arbitrary file upload
EUVDB-ID: #VU31238
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-15139
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Path traversal
EUVDB-ID: #VU31239
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-15140
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1765/files
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.exploit-db.com/exploits/45202/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Path traversal
EUVDB-ID: #VU31240
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-15141
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1765/files
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.exploit-db.com/exploits/45202/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Path traversal
EUVDB-ID: #VU31241
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-15142
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed directory.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1765/files
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
http://www.exploit-db.com/exploits/45202/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) SQL injection
EUVDB-ID: #VU31242
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15143
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the (1) catid or (2) providerid parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationUpdate to version 5.0.1.4.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1758/files
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) SQL injection
EUVDB-ID: #VU31243
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15144
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the search_term parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationUpdate to version 5.0.1.4.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1757/files
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) SQL injection
EUVDB-ID: #VU31244
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15145
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the (1) eid, (2) userid, or (3) pid parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationUpdate to version 5.0.1.4.
Vulnerable software versionsOpenEMR: 5.0.1.1 - 5.0.1.3
External linkshttp://github.com/openemr/openemr/pull/1758/files
http://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
