ID CVE-2019-14530 Type cve Reporter cve@mitre.org Modified 2019-08-19T19:56:00
Description
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
{"id": "CVE-2019-14530", "bulletinFamily": "NVD", "title": "CVE-2019-14530", "description": "An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.", "published": "2019-08-13T14:15:00", "modified": "2019-08-19T19:56:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14530", "reporter": "cve@mitre.org", "references": ["https://github.com/openemr/openemr/pull/2592", "https://github.com/Wezery/CVE-2019-14530"], "cvelist": ["CVE-2019-14530"], "type": "cve", "lastseen": "2020-12-09T21:41:43", "edition": 7, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310142700"]}], "modified": "2020-12-09T21:41:43", "rev": 2}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-12-09T21:41:43", "rev": 2}, "vulnersScore": 4.1}, "cpe": [], "affectedSoftware": [{"cpeName": "open-emr:openemr", "name": "open-emr openemr", "operator": "lt", "version": "5.0.2"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "cpe23": [], "cwe": ["CWE-22"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:open-emr:openemr:5.0.2:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.2", "vulnerable": true}], "operator": "OR"}]}}
{"openvas": [{"lastseen": "2019-09-24T14:26:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3963", "CVE-2019-3966", "CVE-2019-3968", "CVE-2019-14530", "CVE-2019-3965", "CVE-2019-14529", "CVE-2019-8371", "CVE-2019-3967", "CVE-2019-3964", "CVE-2019-8368"], "description": "OpenEMR is prone to multiple vulnerabilities.", "modified": "2019-09-24T00:00:00", "published": "2019-08-06T00:00:00", "id": "OPENVAS:1361412562310142700", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142700", "type": "openvas", "title": "OpenEMR < 5.0.2 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:open-emr:openemr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142700\");\n script_version(\"2019-09-24T06:52:30+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 06:52:30 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-06 09:13:00 +0000 (Tue, 06 Aug 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-14529\", \"CVE-2019-14530\", \"CVE-2019-3963\", \"CVE-2019-3964\", \"CVE-2019-3965\",\n \"CVE-2019-3966\", \"CVE-2019-3967\", \"CVE-2019-3968\", \"CVE-2019-8368\", \"CVE-2019-8371\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"OpenEMR < 5.0.2 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_openemr_detect.nasl\");\n script_mandatory_keys(\"openemr/installed\");\n\n script_tag(name:\"summary\", value:\"OpenEMR is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"OpenEMR is prone to multiple vulnerabilities:\n\n - SQL injection vulnerability in interface/forms/eye_mag/save.php (CVE-2019-14529)\n\n - Authenticated file download vulnerability (CVE-2019-14530)\n\n - Multiple XSS vulnerabilities (CVE-2019-3963, CVE-2019-3964, CVE-2019-3965, CVE-2019-3966, CVE-2019-8368)\n\n - Directory Traversal and Arbitrary File Download vulnerability (CVE-2019-3967)\n\n - Multiple command injection vulnerabilities (CVE-2019-3968, CVE-2019-8371)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"OpenEMR versions prior to 5.0.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.0.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/2592\");\n script_xref(name:\"URL\", value:\"https://github.com/Wezery/CVE-2019-14530\");\n script_xref(name:\"URL\", value:\"https://www.tenable.com/security/research/tra-2019-40\");\n script_xref(name:\"URL\", value:\"https://know.bishopfox.com/advisories/openemr-5-0-16-remote-code-execution-cross-site-scripting\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"5.0.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.0.2\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
