CVE-2018-10573
https://notcve.org/view.php?id=CVE-2018-10573
interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter. interface/fax/fax_dispatch.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante el parámetro scan. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 •
CVE-2018-10572
https://notcve.org/view.php?id=CVE-2018-10572
interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters. interface/patient_file/letter.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante los parámetros newtemplatename y form_body. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 •
CVE-2018-10571
https://notcve.org/view.php?id=CVE-2018-10571
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date, or (19) form_to_date parameter to interface/billing/sl_eob_search.php; (20) codetype or (21) search_term parameter to interface/de_identification_forms/find_code_popup.php; (22) search_term parameter to interface/de_identification_forms/find_drug_popup.php; (23) search_term parameter to interface/de_identification_forms/find_immunization_popup.php; (24) id parameter to interface/forms/CAMOS/view.php; (25) id parameter to interface/forms/reviewofs/view.php; or (26) list_id parameter to library/custom_template/personalize.php. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejado en OpenEMR, en versiones anteriores a la 5.0.1, permiten que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro patient en interface/main/finder/finder_navigation.php; (2) el parámetro key en interface/billing/get_claim_file.php; (3) los parámetros formid o (4) formseq en interface/orders/types.php; (5) los parámetros eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug o (10) InsId en interface/billing/sl_eob_process.php; (11) los parámetros form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date o (19) form_to_date en interface/billing/sl_eob_search.php; (20) los parámetros codetype o (21) search_term en interface/de_identification_forms/find_code_popup.php; (22) el parámetro search_term en interface/de_identification_forms/find_drug_popup.php; (23) el parámetro search_term en interface/de_identification_forms/find_immunization_popup.php; (24) el parámetro id en interface/forms/CAMOS/view.php; (25) el parámetro id en interface/forms/reviewofs/view.php o (26) el parámetro list_id parameter en library/custom_template/personalize.php. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 https://github.com/openemr/openemr/commit/699e3c2ef68545357cac714505df1419b8bf2051 https://github.com/openemr/openemr/issues/1518 https://github.com/openemr/openemr/pull/1519 https://www.open-emr.org/wiki/index.php/Release_Features#Version_5.0.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1000020
https://notcve.org/view.php?id=CVE-2018-1000020
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de Cross Site Scripting (XSS) en open-flash-chart.swf y _posteddata.php. Parece ser que la vulnerabilidad se ha solucionado en la versión 5.0.0 Patch 2 y siguientes. • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site-scripting-in-openemr/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1000019
https://notcve.org/view.php?id=CVE-2018-1000019
OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de inyección de comandos del sistema operativo en fax_dispatch.php que puede resultar en la inyección de comandos del sistema operativo por parte de un atacante autenticado con cualquier rol. Parece ser que la vulnerabilidad se ha solucionado en la versión 5.0.0 Patch 2 y siguientes. • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site-scripting-in-openemr/index.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •