SB2019080209 - Multiple vulnerabilities in OpenEMR OpenEMR

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2019-14530)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

2) SQL injection (CVE-ID: CVE-2019-14529)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in interface/forms/eye_mag/save.php in OpenEMR before 5.0.2. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website.

References

• https://github.com/openemr/openemr/pull/2592
• https://github.com/Wezery/CVE-2019-14530
• https://github.com/Wezery/CVE-2019-14529