Vulnerabilities (CVE)

Filtered by vendor Open-emr Subscribe
Filtered by product Openemr
Total 128 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-1461 1 Open-emr 1 Openemr 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2022-1458 1 Open-emr 1 Openemr 2024-02-28 3.5 LOW 5.4 MEDIUM
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2022-25041 1 Open-emr 1 Openemr 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.
CVE-2021-41843 1 Open-emr 1 Openemr 2024-02-28 6.8 MEDIUM 6.5 MEDIUM
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.
CVE-2021-32104 1 Open-emr 1 Openemr 2024-02-28 6.5 MEDIUM 8.8 HIGH
A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1.
CVE-2021-32102 1 Open-emr 1 Openemr 2024-02-28 6.5 MEDIUM 8.8 HIGH
A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1.
CVE-2021-32103 1 Open-emr 1 Openemr 2024-02-28 3.5 LOW 4.8 MEDIUM
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
CVE-2020-13568 2 Open-emr, Phpgacl Project 2 Openemr, Phpgacl 2024-02-28 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection.
CVE-2021-25923 1 Open-emr 1 Openemr 2024-02-28 6.8 MEDIUM 8.1 HIGH
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
CVE-2021-32101 1 Open-emr 1 Openemr 2024-02-28 6.4 MEDIUM 8.2 HIGH
The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.
CVE-2021-40352 1 Open-emr 1 Openemr 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.
CVE-2020-13566 2 Open-emr, Phpgacl Project 2 Openemr, Phpgacl 2024-02-28 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection.
CVE-2020-19364 1 Open-emr 1 Openemr 2024-02-28 6.5 MEDIUM 8.8 HIGH
OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.
CVE-2021-25921 1 Open-emr 1 Openemr 2024-02-28 3.5 LOW 5.4 MEDIUM
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.
CVE-2020-29142 1 Open-emr 1 Openemr 2024-02-28 6.5 MEDIUM 7.2 HIGH
A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings.
CVE-2021-25922 1 Open-emr 1 Openemr 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
CVE-2021-25918 1 Open-emr 1 Openemr 2024-02-28 3.5 LOW 4.8 MEDIUM
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVE-2020-13564 2 Open-emr, Phpgacl Project 2 Openemr, Phpgacl 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter.
CVE-2020-13569 1 Open-emr 1 Openemr 2024-02-28 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2021-25917 1 Open-emr 1 Openemr 2024-02-28 3.5 LOW 4.8 MEDIUM
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.