CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3966
https://notcve.org/view.php?id=CVE-2019-3966
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro foreign_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3965
https://notcve.org/view.php?id=CVE-2019-3965
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro document_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3964
https://notcve.org/view.php?id=CVE-2019-3964
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro doc_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3963
https://notcve.org/view.php?id=CVE-2019-3963
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro patient_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 34%CPEs: 1EXPL: 8CVE-2019-14530 – OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
https://notcve.org/view.php?id=CVE-2019-14530
13 Aug 2019 — An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. Se descubrió un problema en custom / ajax_download.php en OpenEMR antes de 5.0.2 a través del parámetro fileName. Un atacante puede descargar cualqu... • https://packetstorm.news/files/id/163375 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14529
https://notcve.org/view.php?id=CVE-2019-14529
02 Aug 2019 — OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php. OpenEMR anterior a versión 5.0.2, permite la inyección SQL en el archivo interface/forms/eye_mag/save.php. • https://github.com/Wezery/CVE-2019-14529 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17181
https://notcve.org/view.php?id=CVE-2018-17181
17 May 2019 — An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php. Un problema fue descubierto en OpenEMR antes de 5.0.1 Patch 7. La SQL Injection existe en las funciones SaveAudit en /portal/lib/paylib.php y portalAudit en /portal/lib/appsql.class.php. • https://github.com/openemr/openemr/commit/4963fe4932a0a4e1e982642226174e9931d09541 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17180
https://notcve.org/view.php?id=CVE-2018-17180
17 May 2019 — An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php. Un problema fue descubierto en OpenEMR antes de la versión 5.0.1 del Patch 7 . Directory Traversal existe por medio de docid = .. / to /portal/lib/download_template.php. • https://github.com/openemr/openemr/commit/4963fe4932a0a4e1e982642226174e9931d09541 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2018-17179 – OpenEMR 5.0.1 Patch 6 SQL Injection
https://notcve.org/view.php?id=CVE-2018-17179
17 May 2019 — An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php. Un problema fue descubierto en OpenEMR antes del Patch 5.0.1. Hay SQL Injection en la función make_task en /interface/forms/eye_mag/php/taskman_functions.php a través de /interface/forms/eye_mag/taskman.php. • https://packetstorm.news/files/id/180735 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18035
https://notcve.org/view.php?id=CVE-2018-18035
02 Apr 2019 — A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. Una vulnerabilidad en flashcanvas.swf en OpenEMR, en versiones anteriores a la 5.0.1; Parche 6, podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) en un sistema objetivo. • https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •