Page 10 of 128 results (0.007 seconds)

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-25923

https://notcve.org/view.php?id=CVE-2021-25923

In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover. En OpenEMR, versiones 5.0.0 hasta 6.0.0.1, son vulnerables a requisitos de contraseñas débiles, ya que no aplica un límite de longitud máxima de la contraseña. Si un usuario malicioso esta consciente los primeros 72 caracteres de la contraseña del usuario víctima, puede aprovecharlos para hacerse con una cuenta • https://github.com/openemr/openemr/commit/28ca5c008d4a408b60001a67dfd3e0915f9181e0 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25923 • CWE-521: Weak Password Requirements •

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-32101

https://notcve.org/view.php?id=CVE-2021-32101

The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient. El Patient Portal of OpenEMR versión 5.0.2.1, está afectado por un sistema de control de acceso incorrecto en el archivo portal/patient/_machine_config.php. Para explotar la vulnerabilidad, un atacante no autenticado puede registrar una cuenta, sin pasar por la comprobación de permisos de la API de este portal. • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-32102

https://notcve.org/view.php?id=CVE-2021-32102

A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. Se presenta vulnerabilidad de inyección SQL (con privilegios de usuario) en la biblioteca library/custom_template/ajax_code.php en OpenEMR versión 5.0.2.1 • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal https://www.open-emr.org/wiki/index.php/Old_Outdated_OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-32103

https://notcve.org/view.php?id=CVE-2021-32103

A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. Una vulnerabilidad de tipo XSS almacenado en el archivo interface/usergroup/usergroup_admin.php en OpenEMR versiones anteriores a 5.0.2.1, permite a un usuario autenticado por un administrador inyectar un script web o HTML arbitrario por medio del parámetro lname • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-32104

https://notcve.org/view.php?id=CVE-2021-32104

A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. Se presenta vulnerabilidad de inyección SQL (con privilegios de usuario) en el archivo interface/forms/eye_mag/save.php en OpenEMR versión 5.0.2.1 • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal https://www.open-emr.org/wiki/index.php/Old_Outdated_OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •