Open-Emr: >> Openemr >> 5.0.0.5 Security Vulnerabilities
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1
CVSS Score
6.1
EPSS Score
0.021
Published
2019-10-04
In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface when creating a new form.
CVSS Score
8.8
EPSS Score
0.607
Published
2019-08-20
In OpenEMR 5.0.1 and earlier, the patient file download interface contains a directory traversal flaw that allows authenticated attackers to download arbitrary files from the host system.
CVSS Score
6.5
EPSS Score
0.343
Published
2019-08-20
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
CVSS Score
6.1
EPSS Score
0.267
Published
2019-08-20
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
CVSS Score
6.1
EPSS Score
0.267
Published
2019-08-20
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
CVSS Score
6.1
EPSS Score
0.349
Published
2019-08-20
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
CVSS Score
6.1
EPSS Score
0.349
Published
2019-08-20
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
CVSS Score
8.8
EPSS Score
0.791
Published
2019-08-13
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
CVSS Score
9.8
EPSS Score
0.021
Published
2019-08-02
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
CVSS Score
9.8
EPSS Score
0.084
Published
2019-05-17