Open-Emr: >> Openemr >> 5.0.2.1 Security Vulnerabilities
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
CVSS Score
6.5
EPSS Score
0.009
Published
2022-03-30
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
CVSS Score
8.1
EPSS Score
0.013
Published
2021-06-24
The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.
CVSS Score
8.2
EPSS Score
0.012
Published
2021-05-07
A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1.
CVSS Score
8.8
EPSS Score
0.012
Published
2021-05-07
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
CVSS Score
4.8
EPSS Score
0.007
Published
2021-05-07
A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1.
CVSS Score
8.8
EPSS Score
0.012
Published
2021-05-07
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
CVSS Score
6.1
EPSS Score
0.008
Published
2021-03-22
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS Score
4.8
EPSS Score
0.006
Published
2021-03-22
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS Score
4.8
EPSS Score
0.006
Published
2021-03-22
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS Score
4.8
EPSS Score
0.699
Published
2021-03-22