Filtered by vendor Open-emr
Subscribe
Total
128 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1461 | 1 Open-emr | 1 Openemr | 2022-05-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1. | |||||
| CVE-2022-1459 | 1 Open-emr | 1 Openemr | 2022-05-04 | 5.5 MEDIUM | 8.3 HIGH |
| Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1. | |||||
| CVE-2022-1458 | 1 Open-emr | 1 Openemr | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1. | |||||
| CVE-2021-40352 | 1 Open-emr | 1 Openemr | 2022-05-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users. | |||||
| CVE-2020-13567 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2022-04-26 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-1181 | 1 Open-emr | 1 Openemr | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2. | |||||
| CVE-2022-1180 | 1 Open-emr | 1 Openemr | 2022-04-04 | 3.5 LOW | 3.5 LOW |
| Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | |||||
| CVE-2022-1179 | 1 Open-emr | 1 Openemr | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | |||||
| CVE-2022-1178 | 1 Open-emr | 1 Openemr | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | |||||
| CVE-2022-1177 | 1 Open-emr | 1 Openemr | 2022-04-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0. | |||||
| CVE-2022-24643 | 1 Open-emr | 1 Openemr | 2022-03-29 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0. | |||||
| CVE-2022-25041 | 1 Open-emr | 1 Openemr | 2022-03-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| OpenEMR v6.0.0 was discovered to contain an incorrect access control issue. | |||||
| CVE-2022-25471 | 1 Open-emr | 1 Openemr | 2022-03-09 | 5.5 MEDIUM | 8.1 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register. | |||||
| CVE-2019-14530 | 1 Open-emr | 1 Openemr | 2022-02-10 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. | |||||
| CVE-2018-15152 | 1 Open-emr | 1 Openemr | 2022-02-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient. | |||||
| CVE-2018-15139 | 1 Open-emr | 1 Openemr | 2022-02-10 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory. | |||||
| CVE-2017-9380 | 1 Open-emr | 1 Openemr | 2022-02-09 | 6.5 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. | |||||
| CVE-2021-41843 | 1 Open-emr | 1 Openemr | 2021-12-22 | 6.8 MEDIUM | 6.5 MEDIUM |
| An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI. | |||||
| CVE-2019-8371 | 1 Open-emr | 1 Openemr | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| OpenEMR v5.0.1-6 allows code execution. | |||||
| CVE-2021-25923 | 1 Open-emr | 1 Openemr | 2021-06-30 | 6.8 MEDIUM | 8.1 HIGH |
| In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover. | |||||