CVSS: 8.8EPSS: 22%CPEs: 1EXPL: 0CVE-2018-9250
https://notcve.org/view.php?id=CVE-2018-9250
interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter. interface\super\edit_list.php en OpenEMR en versiones anteriores a la v5_0_1_1 permite que usuarios autenticados remotos ejecuten comandos SQL arbitrarios mediante el parámetro newlistname. • https://github.com/openemr/openemr/commit/2a5dd0601e1f616251006d7471997ecd7aaf9651 https://github.com/openemr/openemr/pull/1578 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10573
https://notcve.org/view.php?id=CVE-2018-10573
interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter. interface/fax/fax_dispatch.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante el parámetro scan. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10572
https://notcve.org/view.php?id=CVE-2018-10572
interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters. interface/patient_file/letter.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante los parámetros newtemplatename y form_body. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10571
https://notcve.org/view.php?id=CVE-2018-10571
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date, or (19) form_to_date parameter to interface/billing/sl_eob_search.php; (20) codetype or (21) search_term parameter to interface/de_identification_forms/find_code_popup.php; (22) search_term parameter to interface/de_identification_forms/find_drug_popup.php; (23) search_term parameter to interface/de_identification_forms/find_immunization_popup.php; (24) id parameter to interface/forms/CAMOS/view.php; (25) id parameter to interface/forms/reviewofs/view.php; or (26) list_id parameter to library/custom_template/personalize.php. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejado en OpenEMR, en versiones anteriores a la 5.0.1, permiten que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro patient en interface/main/finder/finder_navigation.php; (2) el parámetro key en interface/billing/get_claim_file.php; (3) los parámetros formid o (4) formseq en interface/orders/types.php; (5) los parámetros eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug o (10) InsId en interface/billing/sl_eob_process.php; (11) los parámetros form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date o (19) form_to_date en interface/billing/sl_eob_search.php; (20) los parámetros codetype o (21) search_term en interface/de_identification_forms/find_code_popup.php; (22) el parámetro search_term en interface/de_identification_forms/find_drug_popup.php; (23) el parámetro search_term en interface/de_identification_forms/find_immunization_popup.php; (24) el parámetro id en interface/forms/CAMOS/view.php; (25) el parámetro id en interface/forms/reviewofs/view.php o (26) el parámetro list_id parameter en library/custom_template/personalize.php. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000241
https://notcve.org/view.php?id=CVE-2017-1000241
The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators. La aplicación OpenEMR en versiones 5.0.0, 5.0.1-dev y anteriores se ve afectada por una vulnerabilidad de escalado vertical de privilegios. Esta vulnerabilidad puede permitir que los usuarios no administradores autenticados visualicen y modifiquen información a la que solo los administradores pueden acceder. • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-004 • CWE-269: Improper Privilege Management •