Filtered by vendor Open-emr
Subscribe
Total
128 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36243 | 1 Open-emr | 1 Openemr | 2021-06-01 | 9.0 HIGH | 8.8 HIGH |
| The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters. | |||||
| CVE-2021-32104 | 1 Open-emr | 1 Openemr | 2021-05-11 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. | |||||
| CVE-2021-32101 | 1 Open-emr | 1 Openemr | 2021-05-11 | 6.4 MEDIUM | 8.2 HIGH |
| The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient. | |||||
| CVE-2021-32102 | 1 Open-emr | 1 Openemr | 2021-05-11 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | |||||
| CVE-2021-32103 | 1 Open-emr | 1 Openemr | 2021-05-11 | 3.5 LOW | 4.8 MEDIUM |
| A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | |||||
| CVE-2021-25917 | 1 Open-emr | 1 Openemr | 2021-03-29 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-25918 | 1 Open-emr | 1 Openemr | 2021-03-29 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-25922 | 1 Open-emr | 1 Openemr | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code. | |||||
| CVE-2021-25919 | 1 Open-emr | 1 Openemr | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-25921 | 1 Open-emr | 1 Openemr | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit. | |||||
| CVE-2020-29140 | 1 Open-emr | 1 Openemr | 2021-02-22 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. | |||||
| CVE-2020-29143 | 1 Open-emr | 1 Openemr | 2021-02-22 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. | |||||
| CVE-2020-29139 | 1 Open-emr | 1 Openemr | 2021-02-22 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter. | |||||
| CVE-2020-29142 | 1 Open-emr | 1 Openemr | 2021-02-18 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings. | |||||
| CVE-2020-19364 | 1 Open-emr | 1 Openemr | 2021-01-22 | 6.5 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php. | |||||
| CVE-2018-16795 | 1 Open-emr | 1 Openemr | 2021-01-05 | 6.8 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file. | |||||
| CVE-2019-3968 | 1 Open-emr | 1 Openemr | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface when creating a new form. | |||||
| CVE-2017-6394 | 1 Open-emr | 1 Openemr | 2020-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR 5.0.0 and 5.0.1-dev. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to the "openemr-master/gacl/admin/object_search.php" URL (section_value; src_form). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2018-18035 | 1 Open-emr | 1 Openemr | 2020-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. | |||||
| CVE-2019-16404 | 1 Open-emr | 1 Openemr | 2019-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter. | |||||