Main Vulnerability Database Exploits ID:6477 - Exploit for Path traversal in OpenEMR - CVE-2019-14530

ID:6477 - Exploit for Path traversal in OpenEMR - CVE-2019-14530

Published: June 28, 2021

Vulnerability identifier: #VU30824

Vulnerability risk: Medium

CVE-ID: CVE-2019-14530

CWE-ID: CWE-22

Exploitation vector: Remote access

Vulnerable software:
OpenEMR

Link to public exploit:

https://www.exploit-db.com/exploits/50037/

Vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

Remediation

Install update from vendor's website.

ID:6477 - Exploit for Path traversal in OpenEMR - CVE-2019-14530

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human