CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-1000218
https://notcve.org/view.php?id=CVE-2018-1000218
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL.. OpenEMR v5_0_1_4 contiene una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro "file" en la línea #43 de interface/fax/fax_view.php que puede resultar en que la vulnerabilidad permita que los atacante autenticados remotos inyecten scripts web o HTML arbitrarios. Este ataque parece ser explotable si una víctima abre una URL especialmente manipulada. • https://github.com/openemr/openemr/blob/1b495b0b3cd16daf1e5f085145d9e19dea479c7f/interface/fax/fax_view.php#L43 https://github.com/openemr/openemr/issues/1781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15150
https://notcve.org/view.php?id=CVE-2018-15150
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php. Vulnerabilidad de inyección SQL en interface/de_identification_forms/de_identification_screen2.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante la variable "temporary_files_dir" en interface/super/edit_globals.php. • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15148
https://notcve.org/view.php?id=CVE-2018-15148
SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter. Vulnerabilidad de inyección SQL en interface/patient_file/encounter/search_code.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "text". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15151
https://notcve.org/view.php?id=CVE-2018-15151
SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. Vulnerabilidad de inyección SQL en interface/de_identification_forms/find_code_popup.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "search_term". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 82%CPEs: 1EXPL: 1CVE-2018-15153
https://notcve.org/view.php?id=CVE-2018-15153
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. Ocurre una inyección de comandos de sistema operativo en las versiones de OpenEMR anteriores a la 5.0.1.4 que permite que un atacante autenticado remoto ejecute comandos arbitrarios realizando una petición manipulada a interface/main/daemon_frame.php después de modificar la variable global "hylafax_server" en interface/super/edit_globals.php. • https://github.com/openemr/openemr/pull/1757 https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.exploit-db.com/exploits/45161 https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •