CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25923
https://notcve.org/view.php?id=CVE-2021-25923
24 Jun 2021 — In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover. En OpenEMR, versiones 5.0.0 hasta 6.0.0.1, son vulnerables a requisitos de contraseñas débiles, ya que no aplica un límite de longitud máxima de la contraseña. Si un usuario malicioso esta consciente los primeros 72 caracteres de la contraseña... • https://github.com/openemr/openemr/commit/28ca5c008d4a408b60001a67dfd3e0915f9181e0 • CWE-521: Weak Password Requirements •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32101
https://notcve.org/view.php?id=CVE-2021-32101
07 May 2021 — The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient. El Patient Portal of OpenEMR versión 5.0.2.1, está afectado por un sistema de control de acceso incorrecto en el archivo portal/patient/_machine_config.php. Para e... • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32102
https://notcve.org/view.php?id=CVE-2021-32102
07 May 2021 — A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. Se presenta vulnerabilidad de inyección SQL (con privilegios de usuario) en la biblioteca library/custom_template/ajax_code.php en OpenEMR versión 5.0.2.1 • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32103
https://notcve.org/view.php?id=CVE-2021-32103
07 May 2021 — A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. Una vulnerabilidad de tipo XSS almacenado en el archivo interface/usergroup/usergroup_admin.php en OpenEMR versiones anteriores a 5.0.2.1, permite a un usuario autenticado por un administrador inyectar un script web o HTML arbitrario por medio del parámetro lname • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32104
https://notcve.org/view.php?id=CVE-2021-32104
07 May 2021 — A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. Se presenta vulnerabilidad de inyección SQL (con privilegios de usuario) en el archivo interface/forms/eye_mag/save.php en OpenEMR versión 5.0.2.1 • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25922
https://notcve.org/view.php?id=CVE-2021-25922
22 Mar 2021 — In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code. En OpenEMR, las versiones 4.2.0 a 6.0.0 son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Reflejado debido a que la entrada del usuario no es validada apropiadamente. Un atacante podría engañar a un usuario para que haga clic en una URL maliciosa y ejecute un código m... • https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25917
https://notcve.org/view.php?id=CVE-2021-25917
22 Mar 2021 — In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. En OpenEMR, las versiones 5.0.2 a 6.0.0 son vulnerables a Stored Cross-Site-Scripting (XSS) debido a que la entrada del usuario no se valida correctamente y se renderiza en la página del método de autenticación de... • https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25918
https://notcve.org/view.php?id=CVE-2021-25918
22 Mar 2021 — In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. En OpenEMR, versiones 5.0.2 a 6.0.0, son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Almacenado debido a que la entrada del usuario no es validada apropiadamente. Un atacante muy privilegiado podría inyectar ... • https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25920
https://notcve.org/view.php?id=CVE-2021-25920
22 Mar 2021 — In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user. En OpenEMR, las versiones v2.7.2-rc1 a 6.0.0, son vulnerables a un Control de Acceso Inapropiado al crear un nuevo usuario, lo que conlleva a que un usuario malicioso sea capaz de leer y enviar mensajes confidenciales en nombre del usuario víctima • https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f • CWE-178: Improper Handling of Case Sensitivity •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 0CVE-2021-25921
https://notcve.org/view.php?id=CVE-2021-25921
22 Mar 2021 — In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit. En OpenEMR, las versiones 2.7.3-rc1 a 6.0.0, son vulnerables a un ataque de tipo Cross-Site-Scripting (XSS) Almacenado debido a que la entrada del usuario no es validada apropiadamente en la sección "Allergies". Un atacante podría convencer a un... • https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •