Open-Emr: >> Openemr >> 6.0.0 Security Vulnerabilities
A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0.
CVSS Score
5.4
EPSS Score
0.016
Published
2022-03-25
OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.
CVSS Score
4.3
EPSS Score
0.004
Published
2022-03-23
An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.
CVSS Score
8.1
EPSS Score
0.013
Published
2022-03-03
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-12-17
OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.
CVSS Score
6.5
EPSS Score
0.037
Published
2021-09-01
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
CVSS Score
8.1
EPSS Score
0.001
Published
2021-06-24
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
CVSS Score
6.1
EPSS Score
0.017
Published
2021-03-22
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS Score
4.8
EPSS Score
0.028
Published
2021-03-22
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS Score
4.8
EPSS Score
0.028
Published
2021-03-22
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS Score
4.8
EPSS Score
0.59
Published
2021-03-22