CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15143
https://notcve.org/view.php?id=CVE-2018-15143
13 Aug 2018 — Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) catid or (2) providerid parameter. Múltiples vulnerabilidades de inyección SQL en portal/find_appt_popup_user.php en versiones de OpenEMR anteriores a la 5.0.1.4 permiten que un atacante remoto ejecute comandos SQL mediante los parámetros (1) catid o (2) providerid. • https://github.com/openemr/openemr/pull/1758/files • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 12%CPEs: 1EXPL: 0CVE-2018-9250
https://notcve.org/view.php?id=CVE-2018-9250
18 May 2018 — interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter. interface\super\edit_list.php en OpenEMR en versiones anteriores a la v5_0_1_1 permite que usuarios autenticados remotos ejecuten comandos SQL arbitrarios mediante el parámetro newlistname. • https://github.com/openemr/openemr/commit/2a5dd0601e1f616251006d7471997ecd7aaf9651 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10573
https://notcve.org/view.php?id=CVE-2018-10573
30 Apr 2018 — interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter. interface/fax/fax_dispatch.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante el parámetro scan. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10571
https://notcve.org/view.php?id=CVE-2018-10571
30 Apr 2018 — Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12)... • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10572
https://notcve.org/view.php?id=CVE-2018-10572
30 Apr 2018 — interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters. interface/patient_file/letter.php en OpenEMR, en versiones anteriores a la 5.0.1, permite que usuarios autenticados remotos omitan las restricciones de acceso planeadas mediante los parámetros newtemplatename y form_body. • https://csticsfrontline.wordpress.com/2018/05/24/openemr-%E5%BC%B1%E9%BB%9E%E5%88%86%E6%9E%90 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000020
https://notcve.org/view.php?id=CVE-2018-1000020
09 Feb 2018 — OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de Cross Site Scripting (XSS) en open-flash-chart.swf y _posteddata.php. Parece ser que la vulnerabilidad se ha solucionado en la versión 5.0.0 Patch 2 y siguientes. • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000019
https://notcve.org/view.php?id=CVE-2018-1000019
09 Feb 2018 — OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. OpenEMR 5.0.0 contiene una vulnerabilidad de inyección de comandos del sistema operativo en fax_dispatch.php que puede resultar en la inyección de comandos del sistema operativo por parte de un atacante autenticado con cualquier rol. Parece ser que la vulnerabilidad... • http://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000241
https://notcve.org/view.php?id=CVE-2017-1000241
17 Nov 2017 — The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators. La aplicación OpenEMR en versiones 5.0.0, 5.0.1-dev y anteriores se ve afectada por una vulnerabilidad de escalado vertical de privilegios. Esta vulnerabilidad puede permitir que los usuarios no administradores autenticados visualicen y modifiquen informaci... • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-004 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000240
https://notcve.org/view.php?id=CVE-2017-1000240
17 Nov 2017 — The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. La aplicación OpenEMR se ve afectada por múltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejado que afectan a las versiones 5.0.0 y anteriores. Estas vulnerabilidades podrían permitir que atacantes remotos autenticados inyecten scripts web o... • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12064
https://notcve.org/view.php?id=CVE-2017-12064
01 Aug 2017 — The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name. La función csv_log_html en library/edihistory/edih_csv_inc.php en OpenEMR 5.0.0 y anteriores permite a los atacantes evadir las restricciones de acceso mediante un nombre manipulado. • https://github.com/openemr/openemr/commit/b8963a5ca483211ed8de71f18227a0e66a2582ad • CWE-116: Improper Encoding or Escaping of Output •