CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2013-4619 – OpenEMR 4.1.1 patch-12 Cross Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2013-4619
14 Jul 2013 — Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php. Múltiples vulnerabilidades de inyección SQL en OpenEMR v4.1.1 permite a usuarios autenticados remotamente ejecutar comandos SQL arbitrarios a través de los parámetros (1) “start” o (2) “end” interface/reports/custom_report_range.php, o en el p... • https://packetstorm.news/files/id/122391 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2013-4620 – OpenEMR 4.1 - 'note' HTML Injection
https://notcve.org/view.php?id=CVE-2013-4620
14 Jul 2013 — Cross-site scripting (XSS) vulnerability in interface/main/onotes/office_comments_full.php in OpenEMR 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the note parameter. Vulnerabilidad Cross-site scripting (XSS) en interface/main/onotes/office_comments_full.php en OpenEMR v4.1.1 , permite a atacantes remotos ejecutar secuencias de comandos web o HTML arbitrarias a través del parámetro “note”. OpenEMR versions 4.1.1 patch-12 and below suffer from cross site scripting and remote SQL i... • https://packetstorm.news/files/id/122391 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 3CVE-2012-2115 – OpenEMR 4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2115
09 Sep 2012 — SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the u parameter. Vulnerabilidad de inyección SQL en interface/login/validateUser.php en OpenEMR v4.1.0 y posiblemente versiones anteriores, permiten a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro u. • https://www.exploit-db.com/exploits/18274 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 2CVE-2011-5161 – OpenEMR 4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-5161
09 Sep 2012 — Unrestricted file upload vulnerability in the patient photograph functionality in OpenEMR 4 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the patient directory under documents/. Vulnerabilidad de subida de ficheros sin restricciones en la funcionalidad fotografía de paciente en OpenEMR v4, permite a atacantes remotos ejecutar código PHP de su elección mediante la carga de un archi... • https://www.exploit-db.com/exploits/18274 •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 3CVE-2011-5160 – OpenEMR 4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-5160
09 Sep 2012 — Cross-site scripting (XSS) vulnerability in setup.php in OpenEMR 4 allows remote attackers to inject arbitrary web script or HTML via the site parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en OpenEMR v4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro site. • https://www.exploit-db.com/exploits/18274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 3CVE-2012-0992 – OpenEMR 4.1 - '/Interface/fax/fax_dispatch.php?File' 'exec()' Call Arbitrary Shell Command Execution
https://notcve.org/view.php?id=CVE-2012-0992
07 Feb 2012 — interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. interface/fax/fax_dispatch.php en OpenEMR v4.1.0, permite a usuarios autenticados remotamente ejecutar comandos de su elección a través de metacaracteres de linea de comandos en el parámetro file. • https://www.exploit-db.com/exploits/36651 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 4%CPEs: 1EXPL: 6CVE-2012-0991 – OpenEMR 4.1 - '/contrib/acog/print_form.php?formname' Traversal Local File Inclusion
https://notcve.org/view.php?id=CVE-2012-0991
07 Feb 2012 — Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter. Múltiples vulnerabilidades de salto de directorio en OpenEMR v4.1.0, permite a usuarios autenticados remotamente leer archivos de su elección a través de un .. (punto punto) en el parámetro formname en (1) contri... • https://www.exploit-db.com/exploits/36650 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2007-0649 – OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2007-0649
01 Feb 2007 — Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue w... • https://www.exploit-db.com/exploits/29556 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 2CVE-2006-5811 – OpenEMR 2.8.1 - 'srcdir' Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2006-5811
08 Nov 2006 — PHP remote file inclusion vulnerability in library/translation.inc.php in OpenEMR 2.8.1, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[srcdir] parameter. Vulnerabilidad de inclusión remota de archivo en PHP en library/translation.inc.php de OpenEMR 2.8.1, cuando register_globals está activado, permite a atacantes remotos ejecutar código PHP de su elección mediante una URL en el parámetro GLOBALS[srcdir]. • https://www.exploit-db.com/exploits/2727 •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 2CVE-2006-5795 – OpenEMR 2.8.1 - 'srcdir' Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2006-5795
08 Nov 2006 — Multiple PHP remote file inclusion vulnerabilities in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the srcdir parameter to (a) billing_process.php, (b) billing_report.php, (c) billing_report_xml.php, and (d) print_billing_report.php in interface/billing/; (e) login.php; (f) interface/batchcom/batchcom.php; (g) interface/login/login.php; (h) main_info.php and (i) main.php in interface/main/; (j) interface/new/new_patient_save.p... • https://www.exploit-db.com/exploits/2727 •