CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2020-29140
https://notcve.org/view.php?id=CVE-2020-29140
15 Feb 2021 — A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. Una vulnerabilidad de inyección SQL en el archivo interface/reports/immunization_report.php en OpenEMR versiones anteriores a 5.0.2.5, permite a un atacante autenticado remoto ejecutar comandos SQL arbitrarios por medio del parámetro form_code • https://community.open-emr.org/t/openemr-6-0-0-has-been-released/15732 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2020-29142
https://notcve.org/view.php?id=CVE-2020-29142
15 Feb 2021 — A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings. Una vulnerabilidad de inyección SQL en el archivo interface/usergroup/usergroup_admin.php en OpenEMR versiones anteriores a 5.0.2.5, permite a un atacante autenticado remoto ejecutar comandos SQL arbitrarios por medio del parámetro schedule_facility ... • https://community.open-emr.org/t/openemr-6-0-0-has-been-released/15732 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 1CVE-2020-13565
https://notcve.org/view.php?id=CVE-2020-13565
10 Feb 2021 — An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability. Se presenta una vulnerabilidad de redireccionamiento abierto en la funcionalidad de redirección return_page de phpGACL versión 3.3.7, OpenEMR versión 5.0.2 y la versi... • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1178 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 8%CPEs: 1EXPL: 1CVE-2020-36243
https://notcve.org/view.php?id=CVE-2020-36243
07 Feb 2021 — The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters. El Patient Portal de OpenEMR versión 5.0.2.1, está afectado por una vulnerabilidad de inyección de comandos en el archivo /interface/main/backup.php. Para explotar la vulnerabilidad, un atacante autenticado puede enviar una petición POST que ejecu... • https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.6EPSS: 1%CPEs: 2EXPL: 1CVE-2020-13564
https://notcve.org/view.php?id=CVE-2020-13564
01 Feb 2021 — A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter. Se presenta una vulnerabilidad de tipo cross-site scripting en la funcionalidad template de phpGACL versión 3.3.7. Una petición HTTP especialmente diseñada puede conllevar a una ejecución arbitraria de JavaScript. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.6EPSS: 1%CPEs: 2EXPL: 1CVE-2020-13563
https://notcve.org/view.php?id=CVE-2020-13563
01 Feb 2021 — A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter. Se presenta una vulnerabilidad de tipo cross-site scripting en la funcionalidad template de phpGACL versión 3.3.7. Una petición HTTP especialmente diseñada puede conllevar a una ejecución arbitraria de JavaScript. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.6EPSS: 2%CPEs: 2EXPL: 1CVE-2020-13562
https://notcve.org/view.php?id=CVE-2020-13562
01 Feb 2021 — A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter. Se presenta una vulnerabilidad de tipo cross-site scripting en la funcionalidad template de phpGACL versión 3.3.7. Una petición HTTP especialmente diseñada puede conllevar a una ejecución arbitraria de JavaScript. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13569
https://notcve.org/view.php?id=CVE-2020-13569
28 Jan 2021 — A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de tipo cross-site request forgery en la funcionalidad GACL de OpenEMR versión 5.0.2 y versión de desarrollo 6.0.0 (commit babec... • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1180 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-19364
https://notcve.org/view.php?id=CVE-2020-19364
20 Jan 2021 — OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php. OpenEMR versión 5.0.1, permite a un atacante autenticado cargar y ejecutar scripts PHP maliciosos por medio del archivo /controller.php • https://github.com/EmreOvunc/OpenEMR_Vulnerabilities • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-16795
https://notcve.org/view.php?id=CVE-2018-16795
31 Dec 2020 — OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file. OpenEMR versión 5.0.1.3, permite una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) por medio de las bibliotecas library/ajax e interface/super, como es demostrado mediante el uso del archivo interface/super/manage_site_files.php para cargar un archivo .php. • https://community.open-emr.org/t/openemr-security/10597 • CWE-352: Cross-Site Request Forgery (CSRF) •