Openemr@* Security Vulnerabilities and Issues — Openemr@* CVE List

Lucene search

Open-emrOpenemr*

12 matches found

CVE•added 2021/03/22 8:15 p.m.•45 views

CVE-2021-25920

In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.

6.5CVSS6.3AI score0.00224EPSS

CVE•added 2021/03/22 8:15 p.m.•45 views

CVE-2021-25922

In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.

6.1CVSS6.1AI score0.01666EPSS

CVE•added 2021/03/22 8:15 p.m.•43 views

CVE-2021-25917

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.

4.8CVSS5.2AI score0.02795EPSS

CVE•added 2021/03/22 8:15 p.m.•43 views

CVE-2021-25921

In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the Allergies section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.

5.4CVSS5.2AI score0.57066EPSS

CVE•added 2021/03/22 8:15 p.m.•42 views

CVE-2021-25919

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.

4.8CVSS5.1AI score0.5897EPSS

CVE•added 2021/03/22 8:15 p.m.•41 views

CVE-2021-25918

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.

4.8CVSS5.1AI score0.02795EPSS

CVE•added 2021/05/07 4:15 a.m.•36 views

CVE-2021-32103

A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.

4.8CVSS5AI score0.00505EPSS

CVE•added 2021/02/15 8:15 p.m.•31 views

CVE-2020-29142

A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings.

7.2CVSS7.7AI score0.00057EPSS

CVE•added 2021/02/15 9:15 p.m.•30 views

CVE-2020-29143

A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.

7.2CVSS7.7AI score0.00057EPSS

CVE•added 2021/02/15 9:15 p.m.•27 views

CVE-2020-29139

A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter.

7.2CVSS7.7AI score0.00057EPSS

CVE•added 2021/02/15 9:15 p.m.•26 views

CVE-2020-29140

A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.

7.2CVSS7.7AI score0.00057EPSS

CVE•added 2021/06/24 11:15 a.m.•26 views

CVE-2021-25923

In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.

8.1CVSS8AI score0.00065EPSS