Security Vulnerabilities - CVEs Published In February 2021
A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.
CVSS Score
7.2
EPSS Score
0.001
Published
2021-02-15
A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.
CVSS Score
7.2
EPSS Score
0.001
Published
2021-02-15
Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
7.2
EPSS Score
0.052
Published
2021-02-15
The user area for Library System 1.0 is vulnerable to SQL injection where a user can bypass the authentication and login as the admin user.
CVSS Score
9.8
EPSS Score
0.002
Published
2021-02-15
The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass. An attacker can obtain access to the admin panel by injecting a SQL query in the username field of the login page.
CVSS Score
9.8
EPSS Score
0.002
Published
2021-02-15
Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak sensitive information and perform code execution attacks.
CVSS Score
9.8
EPSS Score
0.099
Published
2021-02-15
E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell.
CVSS Score
9.8
EPSS Score
0.384
Published
2021-02-15
A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter.
CVSS Score
7.2
EPSS Score
0.001
Published
2021-02-15
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
CVSS Score
7.2
EPSS Score
0.141
Published
2021-02-15
A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings.
CVSS Score
7.2
EPSS Score
0.001
Published
2021-02-15