Open-emr : Security Vulnerabilities, CVEs, CVSS score >= 9
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
Max CVSS
10.0
EPSS Score
0.14%
Published
2022-08-09
Updated
2022-08-12
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
Max CVSS
9.6
EPSS Score
0.14%
Published
2022-08-09
Updated
2022-08-12
The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters.
Max CVSS
9.0
EPSS Score
18.60%
Published
2021-02-07
Updated
2021-06-01
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
Max CVSS
9.8
EPSS Score
0.47%
Published
2022-04-18
Updated
2022-04-26
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter.
Max CVSS
9.6
EPSS Score
4.10%
Published
2021-02-01
Updated
2022-07-29
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter.
Max CVSS
9.6
EPSS Score
4.10%
Published
2021-02-01
Updated
2022-07-29
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter.
Max CVSS
9.6
EPSS Score
24.40%
Published
2021-02-01
Updated
2022-06-29
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
Max CVSS
9.8
EPSS Score
0.22%
Published
2019-10-05
Updated
2019-10-08
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
Max CVSS
9.8
EPSS Score
0.17%
Published
2019-08-02
Updated
2023-03-03
OpenEMR v5.0.1-6 allows code execution.
Max CVSS
9.0
EPSS Score
0.39%
Published
2019-09-16
Updated
2021-07-21
In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface when creating a new form.
Max CVSS
9.0
EPSS Score
76.79%
Published
2019-08-20
Updated
2020-08-24
OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher.
Max CVSS
9.0
EPSS Score
0.14%
Published
2018-02-09
Updated
2018-03-01
An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.
Max CVSS
9.8
EPSS Score
0.18%
Published
2019-05-17
Updated
2019-05-20
CVE-2018-17179
Public exploit
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
Max CVSS
9.8
EPSS Score
1.03%
Published
2019-05-17
Updated
2019-05-20
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
Max CVSS
9.1
EPSS Score
4.20%
Published
2018-08-15
Updated
2022-02-10
Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) eid, (2) userid, or (3) pid parameter.
Max CVSS
9.8
EPSS Score
0.18%
Published
2018-08-13
Updated
2018-10-10
Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) catid or (2) providerid parameter.
Max CVSS
9.8
EPSS Score
0.18%
Published
2018-08-13
Updated
2018-10-10
17 vulnerabilities found