Filtered by vendor Open-emr
Subscribe
Total
128 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1179 | 1 Open-emr | 1 Openemr | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | |||||
| CVE-2022-1178 | 1 Open-emr | 1 Openemr | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | |||||
| CVE-2022-25041 | 1 Open-emr | 1 Openemr | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| OpenEMR v6.0.0 was discovered to contain an incorrect access control issue. | |||||
| CVE-2021-41843 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.8 MEDIUM | 6.5 MEDIUM |
| An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI. | |||||
| CVE-2020-13566 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection. | |||||
| CVE-2021-40352 | 1 Open-emr | 1 Openemr | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users. | |||||
| CVE-2021-32102 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | |||||
| CVE-2021-32101 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.4 MEDIUM | 8.2 HIGH |
| The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient. | |||||
| CVE-2021-32104 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. | |||||
| CVE-2021-25923 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover. | |||||
| CVE-2021-32103 | 1 Open-emr | 1 Openemr | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | |||||
| CVE-2020-13568 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection. | |||||
| CVE-2021-25919 | 1 Open-emr | 1 Openemr | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2020-13565 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability. | |||||
| CVE-2020-29143 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. | |||||
| CVE-2020-13569 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2018-16795 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file. | |||||
| CVE-2021-25920 | 1 Open-emr | 1 Openemr | 2023-12-10 | 5.5 MEDIUM | 6.5 MEDIUM |
| In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user. | |||||
| CVE-2020-19364 | 1 Open-emr | 1 Openemr | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php. | |||||
| CVE-2020-36243 | 1 Open-emr | 1 Openemr | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters. | |||||