Page 18 of 111 results (0.008 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed directory. Salto de directorio en portal/import_template.php en versiones de OpenEMR anteriores a la 5.0.1.4 permite que un atacante autenticado remoto ejecute código PHP arbitrario escribiendo un archivo con una extensión PHP mediante los parámetros "docid" y "content" y accediendo a él en el directorio saltado. OpenEMR version 5.0.1.3 suffers from arbitrary file read, write, and delete vulnerabilities. • https://www.exploit-db.com/exploits/45202 https://github.com/openemr/openemr/pull/1765/files https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 8.8EPSS: 22%CPEs: 1EXPL: 0

interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter. interface\super\edit_list.php en OpenEMR en versiones anteriores a la v5_0_1_1 permite que usuarios autenticados remotos ejecuten comandos SQL arbitrarios mediante el parámetro newlistname. • https://github.com/openemr/openemr/commit/2a5dd0601e1f616251006d7471997ecd7aaf9651 https://github.com/openemr/openemr/pull/1578 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter. interface/fax/fax_dispatch.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante el parámetro scan. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters. interface/patient_file/letter.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante los parámetros newtemplatename y form_body. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date, or (19) form_to_date parameter to interface/billing/sl_eob_search.php; (20) codetype or (21) search_term parameter to interface/de_identification_forms/find_code_popup.php; (22) search_term parameter to interface/de_identification_forms/find_drug_popup.php; (23) search_term parameter to interface/de_identification_forms/find_immunization_popup.php; (24) id parameter to interface/forms/CAMOS/view.php; (25) id parameter to interface/forms/reviewofs/view.php; or (26) list_id parameter to library/custom_template/personalize.php. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejado en OpenEMR, en versiones anteriores a la 5.0.1, permiten que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro patient en interface/main/finder/finder_navigation.php; (2) el parámetro key en interface/billing/get_claim_file.php; (3) los parámetros formid o (4) formseq en interface/orders/types.php; (5) los parámetros eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug o (10) InsId en interface/billing/sl_eob_process.php; (11) los parámetros form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date o (19) form_to_date en interface/billing/sl_eob_search.php; (20) los parámetros codetype o (21) search_term en interface/de_identification_forms/find_code_popup.php; (22) el parámetro search_term en interface/de_identification_forms/find_drug_popup.php; (23) el parámetro search_term en interface/de_identification_forms/find_immunization_popup.php; (24) el parámetro id en interface/forms/CAMOS/view.php; (25) el parámetro id en interface/forms/reviewofs/view.php o (26) el parámetro list_id parameter en library/custom_template/personalize.php. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •