Input validation error in OpenEMR

#VU38618 Input validation error in OpenEMR

Published: 2017-08-01 | Updated: 2020-08-08

Vulnerability identifier: #VU38618

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12064

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenEMR
Client/Desktop applications / Other client software

Vendor: OpenEMR

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenEMR: 5.0.0

External links
http://github.com/openemr/openemr/commit/b8963a5ca483211ed8de71f18227a0e66a2582ad

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in OpenEMR