Openemr Security Vulnerabilities and Issues — Openemr CVE List

Lucene search

Open-emrOpenemr

141 matches found

CVE•added 2018/04/30 5:29 p.m.•180 views

CVE-2018-10571

Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or ...

6.1CVSS6.2AI score0.00141EPSS

CVE•added 2019/10/04 7:15 p.m.•162 views

CVE-2019-17179

4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1

6.1CVSS6.5AI score0.02086EPSS

CVE•added 2018/08/15 5:29 p.m.•121 views

CVE-2018-15153

OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.

8.8CVSS8.9AI score0.75975EPSS

CVE•added 2019/09/16 6:15 p.m.•120 views

CVE-2019-8368

OpenEMR v5.0.1-6 allows XSS.

6.1CVSS6.5AI score0.42273EPSS

CVE•added 2018/08/13 6:29 p.m.•118 views

CVE-2018-15139

Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.

8.8CVSS8.6AI score0.80616EPSS

CVE•added 2019/08/13 2:15 p.m.•118 views

CVE-2019-14530

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/def...

8.8CVSS7.2AI score0.79098EPSS

CVE•added 2019/10/05 7:15 p.m.•118 views

CVE-2019-17197

OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.

9.8CVSS9.9AI score0.00008EPSS

CVE•added 2023/05/08 5:15 a.m.•118 views

CVE-2023-2566

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

7.5CVSS5.2AI score0.01495EPSS

CVE•added 2023/05/28 4:15 a.m.•111 views

CVE-2023-2949

Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1.

8.3CVSS6.3AI score0.72247EPSS

CVE•added 2017/06/02 3:29 p.m.•102 views

CVE-2017-9380

OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.

8.8CVSS8.8AI score0.0055EPSS

CVE•added 2018/08/15 5:29 p.m.•100 views

CVE-2018-15152

Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_result...

9.1CVSS9.1AI score0.09059EPSS

CVE•added 2023/05/27 11:15 p.m.•100 views

CVE-2023-2947

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

4.8CVSS4.7AI score0.20403EPSS

CVE•added 2023/05/28 4:15 a.m.•97 views

CVE-2023-2948

Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.

8.3CVSS6.3AI score0.83283EPSS

CVE•added 2023/05/28 4:15 a.m.•94 views

CVE-2023-2950

Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.

8.1CVSS7.1AI score0.00248EPSS

CVE•added 2019/10/21 11:15 p.m.•91 views

CVE-2019-16404

Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.

8.8CVSS8.9AI score0.00013EPSS

CVE•added 2019/10/21 1:15 a.m.•91 views

CVE-2019-16862

Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.

6.1CVSS6.7AI score0.06297EPSS

CVE•added 2023/05/27 10:15 p.m.•91 views

CVE-2023-2944

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

6.3CVSS5.6AI score0.00059EPSS

CVE•added 2023/05/27 10:15 p.m.•90 views

CVE-2023-2943

Code Injection in GitHub repository openemr/openemr prior to 7.0.1.

8.8CVSS6.8AI score0.00118EPSS

CVE•added 2023/05/27 10:15 p.m.•89 views

CVE-2023-2945

Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1.

5.4CVSS4.9AI score0.00175EPSS

CVE•added 2021/02/07 8:15 p.m.•88 views

CVE-2020-36243

The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters.

9CVSS8.9AI score0.85885EPSS

CVE•added 2023/05/27 11:15 p.m.•87 views

CVE-2023-2946

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

8.1CVSS7.1AI score0.00062EPSS

CVE•added 2024/02/28 10:15 p.m.•86 views

CVE-2024-26476

An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.

3.5CVSS6.9AI score0.00045EPSS

CVE•added 2019/10/21 1:15 a.m.•83 views

CVE-2019-17409

Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.

6.1CVSS6.2AI score0.01938EPSS

CVE•added 2021/09/01 1:15 p.m.•81 views

CVE-2021-40352

OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.

6.5CVSS6.2AI score0.03659EPSS

CVE•added 2022/03/30 11:15 a.m.•81 views

CVE-2022-1177

Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.

6.5CVSS4.8AI score0.03305EPSS

CVE•added 2019/09/16 5:15 p.m.•78 views

CVE-2019-8371

OpenEMR v5.0.1-6 allows code execution.

9CVSS7.4AI score0.00833EPSS

CVE•added 2020/12/31 3:15 a.m.•76 views

CVE-2018-16795

OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.

8.8CVSS8.8AI score0.00019EPSS

CVE•added 2022/03/23 10:15 p.m.•76 views

CVE-2022-25041

OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.

4.3CVSS4.8AI score0.00369EPSS

CVE•added 2022/03/30 12:15 p.m.•72 views

CVE-2022-1181

Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.

8CVSS5.6AI score0.28185EPSS

CVE•added 2022/03/25 9:15 p.m.•70 views

CVE-2022-24643

A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0.

5.4CVSS5.2AI score0.01559EPSS

CVE•added 2022/04/25 11:15 a.m.•69 views

CVE-2022-1461

Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.

8.1CVSS6.8AI score0.01648EPSS

CVE•added 2022/03/30 12:15 p.m.•68 views

CVE-2022-1179

Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

5.4CVSS4.8AI score0.50874EPSS

CVE•added 2022/03/30 12:15 p.m.•68 views

CVE-2022-1180

Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

4.6CVSS3.8AI score0.18525EPSS

CVE•added 2022/04/25 10:15 a.m.•65 views

CVE-2022-1459

Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.

8.3CVSS8.3AI score0.00473EPSS

CVE•added 2017/11/04 7:29 p.m.•63 views

CVE-2017-16540

OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database copying because setup.php exposes functionality for cloning an existing OpenEMR site to an arbitrary attacker-controlled MySQL server via vectors involving a crafted state parameter.

7.5CVSS7.3AI score0.00334EPSS

CVE•added 2022/04/25 10:15 a.m.•63 views

CVE-2022-1458

Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.

7.3CVSS5.5AI score0.10429EPSS

CVE•added 2023/02/22 9:15 p.m.•63 views

CVE-2023-22974

A Path Traversal in setup.php in OpenEMR

7.5CVSS7.3AI score0.03053EPSS

CVE•added 2022/03/30 12:15 p.m.•61 views

CVE-2022-1178

Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

7.3CVSS5.5AI score0.24476EPSS

CVE•added 2018/02/09 11:29 p.m.•60 views

CVE-2018-1000020

OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher.

6.1CVSS6.2AI score0.0386EPSS

CVE•added 2018/08/13 6:29 p.m.•60 views

CVE-2018-15142

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed direct...

8.8CVSS8.7AI score0.023EPSS

CVE•added 2022/08/09 12:15 p.m.•58 views

CVE-2022-2732

Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1.

8.3CVSS8.3AI score0.00079EPSS

CVE•added 2025/03/25 9:15 p.m.•58 views

CVE-2025-29789

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are vulnerable to Directory Traversal in the Load Code feature. Version 7.3.0 contains a patch for the issue.

7.5CVSS7.3AI score0.00065EPSS

CVE•added 2025/03/31 5:15 p.m.•58 views

CVE-2025-31117

OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal reso...

7.5CVSS6.3AI score0.00191EPSS

CVE•added 2022/03/03 12:15 a.m.•56 views

CVE-2022-25471

An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.

8.1CVSS7.7AI score0.01304EPSS

CVE•added 2022/07/22 4:15 a.m.•55 views

CVE-2022-2493

Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.

8.3CVSS8.1AI score0.00123EPSS

CVE•added 2018/08/13 6:29 p.m.•54 views

CVE-2018-15141

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete.

6.5CVSS7.2AI score0.02037EPSS

CVE•added 2022/12/15 1:15 a.m.•54 views

CVE-2022-4503

Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.0.2.

6.4CVSS6AI score0.0033EPSS

CVE•added 2022/12/15 1:15 a.m.•54 views

CVE-2022-4506

Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.

8.8CVSS8.2AI score0.00036EPSS

CVE•added 2023/02/22 9:15 p.m.•54 views

CVE-2023-22973

A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR

8.8CVSS8.4AI score0.01419EPSS

CVE•added 2018/08/13 6:29 p.m.•53 views

CVE-2018-15140

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.

6.5CVSS6.7AI score0.0202EPSS

Total number of security vulnerabilities141