Lucene search

Librehealth Ehr Security Vulnerabilities

cve

CVE-2018-1000645

LibreHealthIO lh-ehr version <REL-2.0.0 contains an Authenticated Local File Disclosure vulnerability in Importing of templates allows local file disclosure that can result in Disclosure of sensitive files on the server. This attack appear to be exploitable via User controlled variable in import...

6.5CVSS

6.2AI Score

0.001EPSS

2022-10-03 04:21 PM

cve

CVE-2018-1000646

LibreHealthIO LH-EHR version REL-2.0.0 contains an Authenticated Unrestricted File Write vulnerability in Import template that can result in write files with malicious content and may lead to remote code execution.

8.8CVSS

9AI Score

0.003EPSS

2022-10-03 04:21 PM

cve

CVE-2018-1000647

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Deletion vulnerability in Import template that can result in Denial of service. This attack appear to be exploitable via User controlled parameter.

7.1CVSS

6.8AI Score

0.001EPSS

2022-10-03 04:21 PM

cve

CVE-2018-1000648

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write vulnerability in Patient file letter functions that can result in Write files with malicious content and may lead to remote code execution. This attack appear to be exploitable via User controlled parameters.

8.8CVSS

8.9AI Score

0.003EPSS

2022-10-03 04:21 PM

cve

CVE-2018-1000649

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write in letter.php (2) vulnerability in Patient file letter functions that can result in Write files with malicious content and may lead to remote code execution. This attack appear to be exploitable via User control...

8.8CVSS

8.9AI Score

0.002EPSS

2022-10-03 04:22 PM

cve

CVE-2018-1000650

LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions that can result in Ability to perform malicious database queries. This attack appear to be exploitable via User controlled parameters.

8.8CVSS

8.9AI Score

0.001EPSS

2022-10-03 04:22 PM

cve

CVE-2018-1000839

LH-EHR version REL-2_0_0 contains a Arbitrary File Upload vulnerability in Profile picture upload that can result in Remote Code Execution. This attack appear to be exploitable via Uploading a PHP file with image MIME type.

8.8CVSS

8.8AI Score

0.004EPSS

2022-10-03 04:21 PM

cve

CVE-2020-11436

LibreHealth EMR v2.0.0 is vulnerable to XSS that results in the ability to force arbitrary actions on behalf of other users including administrators.

9CVSS

8.7AI Score

0.003EPSS

2020-07-15 08:15 PM

cve

CVE-2020-11437

LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database.

4.3CVSS

5.2AI Score

0.001EPSS

2020-07-15 08:15 PM

cve

CVE-2020-11438

LibreHealth EMR v2.0.0 is affected by systemic CSRF.

8.8CVSS

8.7AI Score

0.003EPSS

2020-07-15 08:15 PM

cve

CVE-2020-11439

LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application.

8.8CVSS

8.7AI Score

0.002EPSS

2020-07-15 08:15 PM

cve

CVE-2020-23829

interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously crafted image.

8.8CVSS

8.9AI Score

0.008EPSS

2020-09-01 05:15 PM

cve

CVE-2022-29938

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\payment_master.inc.php leads to SQL injection.

8.8CVSS

9AI Score

0.002EPSS

2022-05-05 12:15 PM

cve

CVE-2022-29939

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.

5.4CVSS

5.3AI Score

0.001EPSS

2022-05-05 12:15 PM

cve

CVE-2022-29940

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

5.4CVSS

5.3AI Score

0.001EPSS

2022-05-05 12:15 PM

cve

CVE-2022-31492

Cross Site scripting (XSS) vulnerability inLibreHealth EHR Base 2.0.0 via interface/usergroup/usergroup_admin_add.php Username.

6.1CVSS

6AI Score

0.001EPSS

2022-06-06 08:15 PM

cve

CVE-2022-31493

LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php acl_id XSS.

6.1CVSS

6.2AI Score

0.001EPSS

2022-06-06 07:15 PM

cve

CVE-2022-31494

LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php action XSS.

6.1CVSS

6.2AI Score

0.001EPSS

2022-06-06 11:15 PM

cve

CVE-2022-31495

LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php return_page XSS.

6.1CVSS

6.2AI Score

0.001EPSS

2022-06-07 03:15 PM

cve

CVE-2022-31496

LibreHealth EHR Base 2.0.0 allows incorrect interface/super/manage_site_files.php access.

8.8CVSS

8.7AI Score

0.002EPSS

2022-06-09 12:15 AM

cve

CVE-2022-31497

LibreHealth EHR Base 2.0.0 allows interface/main/finder/finder_navigation.php patient XSS.

6.1CVSS

6.2AI Score

0.001EPSS

2022-06-08 12:15 PM

cve

CVE-2022-31498

LibreHealth EHR Base 2.0.0 allows interface/orders/patient_match_dialog.php key XSS.

6.1CVSS

6.2AI Score

0.001EPSS

2022-06-06 09:15 PM