CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15146
https://notcve.org/view.php?id=CVE-2018-15146
SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. Vulnerabilidad de inyección SQL en interface/de_identification_forms/find_immunization_popup.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "search_term". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15156
https://notcve.org/view.php?id=CVE-2018-15156
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. Ocurre una inyección de comandos de sistema operativo en las versiones de OpenEMR anteriores a la 5.0.1.4 que permite que un atacante autenticado remoto ejecute comandos arbitrarios realizando una petición manipulada a interface/fax/faxq.php después de modificar la variable global "hylafax_server" en interface/super/edit_globals.php. • https://github.com/openemr/openemr/pull/1757 https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15155
https://notcve.org/view.php?id=CVE-2018-15155
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php. Ocurre una inyección de comandos de sistema operativo en las versiones de OpenEMR anteriores a la 5.0.1.4 que permite que un atacante autenticado remoto ejecute comandos arbitrarios realizando una petición manipulada a interface/fax/fax_dispatch.php después de modificar la variable global "hylafax_enscript" en interface/super/edit_globals.php. • https://github.com/openemr/openemr/pull/1757 https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15147
https://notcve.org/view.php?id=CVE-2018-15147
SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter. Vulnerabilidad de inyección SQL en interface/forms_admin/forms_admin.php from library/registry.inc en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "id". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15149
https://notcve.org/view.php?id=CVE-2018-15149
SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter. Vulnerabilidad de inyección SQL en interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto autenticado ejecute comandos SQL mediante el parámetro "encounter". • https://github.com/openemr/openemr/pull/1757/files https://insecurity.sh/reports/openemr.pdf https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •