CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10573
https://notcve.org/view.php?id=CVE-2018-10573
30 Apr 2018 — interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter. interface/fax/fax_dispatch.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante el parámetro scan. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10571
https://notcve.org/view.php?id=CVE-2018-10571
30 Apr 2018 — Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12)... • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10572
https://notcve.org/view.php?id=CVE-2018-10572
30 Apr 2018 — interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters. interface/patient_file/letter.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante los parámetros newtemplatename y form_body. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000020
https://notcve.org/view.php?id=CVE-2018-1000020
09 Feb 2018 — OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de Cross Site Scripting (XSS) en open-flash-chart.swf y _posteddata.php. Parece ser que la vulnerabilidad se ha solucionado en la versión 5.0.0 Patch 2 y siguientes. • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000019
https://notcve.org/view.php?id=CVE-2018-1000019
09 Feb 2018 — OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de inyección de comandos del sistema operativo en fax_dispatch.php que puede resultar en la inyección de comandos del sistema operativo por parte de un atacante autenticado con cualquier rol. Parece ser que la vulnerabilidad... • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000241
https://notcve.org/view.php?id=CVE-2017-1000241
17 Nov 2017 — The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators. La aplicación OpenEMR en versiones 5.0.0, 5.0.1-dev y anteriores se ve afectada por una vulnerabilidad de escalado vertical de privilegios. Esta vulnerabilidad puede permitir que los usuarios no administradores autenticados visualicen y modifiquen informaci... • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-004 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000240
https://notcve.org/view.php?id=CVE-2017-1000240
17 Nov 2017 — The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. La aplicación OpenEMR se ve afectada por múltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejado que afectan a las versiones 5.0.0 y anteriores. Estas vulnerabilidades podrían permitir que atacantes remotos autenticados inyecten scripts web o... • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16540
https://notcve.org/view.php?id=CVE-2017-16540
04 Nov 2017 — OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database copying because setup.php exposes functionality for cloning an existing OpenEMR site to an arbitrary attacker-controlled MySQL server via vectors involving a crafted state parameter. OpenEMR en versiones anteriores a la 5.0.0 Patch 5 permite la copia remota sin autenticar de bases de datos debido a que setup.php expone la funcionalidad de clonado para un sitio OpenEMR existente a un servidor arbitrario controlado por el atacante, mediante v... • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12064
https://notcve.org/view.php?id=CVE-2017-12064
01 Aug 2017 — The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name. La función csv_log_html en library/edihistory/edih_csv_inc.php en OpenEMR 5.0.0 y anteriores permite a los atacantes evadir las restricciones de acceso mediante un nombre manipulado. • https://github.com/openemr/openemr/commit/b8963a5ca483211ed8de71f18227a0e66a2582ad • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 4CVE-2017-9380 – OpenEMR 5.0.0 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2017-9380
02 Jun 2017 — OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. OpenEMR versión 5.0.0 y anteriores, permite a los usuarios poco privilegiados cargar archivos de tipos peligrosos, lo que puede resultar en la ejecución de código arbitraria en el contexto de la aplicación vulnerable. • https://packetstorm.news/files/id/163087 • CWE-434: Unrestricted Upload of File with Dangerous Type •