CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15150
https://notcve.org/view.php?id=CVE-2018-15150
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php. Vulnerabilidad de inyección SQL en interface/de_identification_forms/de_identification_screen2.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante la variable "temporary_files_dir" en interface/super/edit_globals.php. • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15148
https://notcve.org/view.php?id=CVE-2018-15148
SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter. Vulnerabilidad de inyección SQL en interface/patient_file/encounter/search_code.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "text". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15151
https://notcve.org/view.php?id=CVE-2018-15151
SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. Vulnerabilidad de inyección SQL en interface/de_identification_forms/find_code_popup.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "search_term". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 82%CPEs: 1EXPL: 1CVE-2018-15153
https://notcve.org/view.php?id=CVE-2018-15153
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. Ocurre una inyección de comandos de sistema operativo en las versiones de OpenEMR anteriores a la 5.0.1.4 que permite que un atacante autenticado remoto ejecute comandos arbitrarios realizando una petición manipulada a interface/main/daemon_frame.php después de modificar la variable global "hylafax_server" en interface/super/edit_globals.php. • https://github.com/openemr/openemr/pull/1757 https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.exploit-db.com/exploits/45161 https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15146
https://notcve.org/view.php?id=CVE-2018-15146
SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. Vulnerabilidad de inyección SQL en interface/de_identification_forms/find_immunization_popup.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "search_term". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •