CVE-2018-1000020
https://notcve.org/view.php?id=CVE-2018-1000020
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de Cross Site Scripting (XSS) en open-flash-chart.swf y _posteddata.php. Parece ser que la vulnerabilidad se ha solucionado en la versión 5.0.0 Patch 2 y siguientes. • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site-scripting-in-openemr/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1000019
https://notcve.org/view.php?id=CVE-2018-1000019
OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de inyección de comandos del sistema operativo en fax_dispatch.php que puede resultar en la inyección de comandos del sistema operativo por parte de un atacante autenticado con cualquier rol. Parece ser que la vulnerabilidad se ha solucionado en la versión 5.0.0 Patch 2 y siguientes. • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site-scripting-in-openemr/index.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2017-1000240
https://notcve.org/view.php?id=CVE-2017-1000240
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. La aplicación OpenEMR se ve afectada por múltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejado que afectan a las versiones 5.0.0 y anteriores. Estas vulnerabilidades podrían permitir que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios. • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-1000241
https://notcve.org/view.php?id=CVE-2017-1000241
The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators. La aplicación OpenEMR en versiones 5.0.0, 5.0.1-dev y anteriores se ve afectada por una vulnerabilidad de escalado vertical de privilegios. Esta vulnerabilidad puede permitir que los usuarios no administradores autenticados visualicen y modifiquen información a la que solo los administradores pueden acceder. • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-004 • CWE-269: Improper Privilege Management •
CVE-2017-12064
https://notcve.org/view.php?id=CVE-2017-12064
The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name. La función csv_log_html en library/edihistory/edih_csv_inc.php en OpenEMR 5.0.0 y anteriores permite a los atacantes evadir las restricciones de acceso mediante un nombre manipulado. • https://github.com/openemr/openemr/commit/b8963a5ca483211ed8de71f18227a0e66a2582ad • CWE-116: Improper Encoding or Escaping of Output •