Main Vulnerability Database Vulnerabilities #VU31239

#VU31239 Path traversal in OpenEMR - CVE-2018-15140

Published: August 13, 2018 / Updated: June 17, 2021

Vulnerability identifier: #VU31239

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2018-15140

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
OpenEMR

Software vendor:
OpenEMR

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.

Remediation

Install update from vendor's website.

External links

https://github.com/openemr/openemr/pull/1765/files
https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
https://www.exploit-db.com/exploits/45202/

#VU31239 Path traversal in OpenEMR - CVE-2018-15140

Description

Remediation

External links

Please verify you're human