Main Vulnerability Database Vulnerabilities #VU31240

#VU31240 Path traversal in OpenEMR - CVE-2018-15141

Published: August 13, 2018 / Updated: June 17, 2021

Vulnerability identifier: #VU31240

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2018-15141

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
OpenEMR

Software vendor:
OpenEMR

Description

The vulnerability allows a remote authenticated user to manipulate data.

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete.

Remediation

Install update from vendor's website.

External links

https://github.com/openemr/openemr/pull/1765/files
https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/
https://www.exploit-db.com/exploits/45202/

#VU31240 Path traversal in OpenEMR - CVE-2018-15141

Description

Remediation

External links

Please verify you're human