The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.
References
Configurations
History
21 Nov 2024, 06:06
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability - Third Party Advisory | |
References | () https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 - Vendor Advisory | |
References | () https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 - Third Party Advisory | |
References | () https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal - Third Party Advisory |
Information
Published : 2021-05-07 04:15
Updated : 2024-11-21 06:06
NVD link : CVE-2021-32101
Mitre link : CVE-2021-32101
CVE.ORG link : CVE-2021-32101
JSON object : View
Products Affected
open-emr
- openemr
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource