CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Open-emr » Openemr » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-2824 2022-08-15 2022-08-16
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.
2 CVE-2022-2734 1021 2022-08-09 2022-08-12
0.0
None ??? ??? ??? ??? ??? ???
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
3 CVE-2022-2733 79 XSS 2022-08-09 2022-08-12
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
4 CVE-2022-2732 269 2022-08-09 2022-08-12
0.0
None ??? ??? ??? ??? ??? ???
Improper Privilege Management in GitHub repository openemr/openemr prior to 7.0.0.1.
5 CVE-2022-2731 79 XSS 2022-08-09 2022-08-12
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
6 CVE-2022-2730 639 Bypass 2022-08-09 2022-08-12
0.0
None ??? ??? ??? ??? ??? ???
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
7 CVE-2022-2729 79 XSS 2022-08-09 2022-08-12
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to 7.0.0.1.
8 CVE-2022-2494 79 XSS 2022-07-22 2022-07-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.
9 CVE-2022-2493 2022-07-22 2022-07-27
0.0
None ??? ??? ??? ??? ??? ???
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
10 CVE-2022-1461 639 2022-04-25 2022-05-04
4.0
None Remote Low ??? None Partial None
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
11 CVE-2022-1459 639 2022-04-25 2022-05-04
5.5
None Remote Low ??? Partial Partial None
Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.
12 CVE-2022-1458 79 XSS 2022-04-25 2022-05-04
3.5
None Remote Medium ??? None Partial None
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
13 CVE-2022-1181 79 XSS 2022-03-30 2022-04-04
3.5
None Remote Medium ??? None Partial None
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.
14 CVE-2022-1180 79 XSS 2022-03-30 2022-04-04
3.5
None Remote Medium ??? None Partial None
Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
15 CVE-2022-1179 79 XSS 2022-03-30 2022-04-04
3.5
None Remote Medium ??? None Partial None
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
16 CVE-2022-1178 79 XSS 2022-03-30 2022-04-04
3.5
None Remote Medium ??? None Partial None
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
17 CVE-2022-1177 863 2022-03-30 2022-04-04
4.0
None Remote Low ??? Partial None None
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
18 CVE-2021-32103 79 XSS 2021-05-07 2021-05-11
3.5
None Remote Medium ??? None Partial None
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
19 CVE-2021-25923 521 2021-06-24 2021-06-30
6.8
None Remote Medium Not required Partial Partial Partial
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
20 CVE-2021-25922 79 Exec Code XSS 2021-03-22 2021-03-24
4.3
None Remote Medium Not required None Partial None
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
21 CVE-2021-25921 79 XSS 2021-03-22 2021-03-24
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.
22 CVE-2021-25920 178 2021-03-22 2022-07-12
5.5
None Remote Low ??? Partial Partial None
In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.
23 CVE-2021-25919 79 XSS 2021-03-22 2021-03-24
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
24 CVE-2021-25918 79 XSS 2021-03-22 2021-03-29
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
25 CVE-2021-25917 79 XSS 2021-03-22 2021-03-29
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
26 CVE-2020-29143 89 Exec Code Sql 2021-02-15 2021-02-22
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.
27 CVE-2020-29142 89 Exec Code Sql 2021-02-15 2021-02-18
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings.
28 CVE-2020-29140 89 Exec Code Sql 2021-02-15 2021-02-22
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.
29 CVE-2020-29139 89 Exec Code Sql 2021-02-15 2021-02-22
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter.
30 CVE-2019-17409 79 XSS 2019-10-21 2019-10-21
4.3
None Remote Medium Not required None Partial None
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
31 CVE-2019-17197 89 Sql 2019-10-05 2019-10-08
7.5
None Remote Low Not required Partial Partial Partial
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
32 CVE-2019-17179 79 XSS 2019-10-04 2019-10-21
4.3
None Remote Medium Not required None Partial None
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1
33 CVE-2019-16862 79 Exec Code XSS 2019-10-21 2019-10-21
4.3
None Remote Medium Not required None Partial None
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
34 CVE-2019-16404 89 Sql 2019-10-21 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
35 CVE-2019-14530 22 Dir. Trav. 2019-08-13 2022-02-10
6.0
None Remote Medium ??? Partial Partial Partial
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
36 CVE-2019-14529 89 Sql 2019-08-02 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
37 CVE-2019-3968 78 Exec Code 2019-08-20 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface when creating a new form.
38 CVE-2019-3967 22 Dir. Trav. 2019-08-20 2019-08-27
4.0
None Remote Low ??? Partial None None
In OpenEMR 5.0.1 and earlier, the patient file download interface contains a directory traversal flaw that allows authenticated attackers to download arbitrary files from the host system.
39 CVE-2019-3966 79 Exec Code XSS 2019-08-20 2019-08-26
4.3
None Remote Medium Not required None Partial None
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
40 CVE-2019-3965 79 Exec Code XSS 2019-08-20 2019-08-22
4.3
None Remote Medium Not required None Partial None
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
41 CVE-2019-3964 79 Exec Code XSS 2019-08-20 2019-08-22
4.3
None Remote Medium Not required None Partial None
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
42 CVE-2019-3963 79 Exec Code XSS 2019-08-20 2019-08-22
4.3
None Remote Medium Not required None Partial None
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
43 CVE-2018-18035 79 XSS 2019-04-02 2020-01-23
4.3
None Remote Medium Not required None Partial None
A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
44 CVE-2018-17181 89 Sql 2019-05-17 2019-05-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.
45 CVE-2018-17180 22 Dir. Trav. 2019-05-17 2019-05-20
5.0
None Remote Low Not required Partial None None
An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.
46 CVE-2018-17179 89 Sql 2019-05-17 2019-05-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
47 CVE-2018-15156 78 Exec Code 2018-08-15 2018-10-10
6.5
None Remote Low ??? Partial Partial Partial
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
48 CVE-2018-15155 78 Exec Code 2018-08-15 2018-10-10
6.5
None Remote Low ??? Partial Partial Partial
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php.
49 CVE-2018-15154 78 Exec Code 2018-08-15 2018-10-10
6.5
None Remote Low ??? Partial Partial Partial
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the "print_command" global variable in interface/super/edit_globals.php.
50 CVE-2018-15153 78 Exec Code 2018-08-15 2018-10-10
6.5
None Remote Low ??? Partial Partial Partial
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
Total number of vulnerabilities : 71   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.