CVSS: 8.5EPSS: 2%CPEs: 1EXPL: 0CVE-2024-0875 – Stored XSS in openemr/openemr
https://notcve.org/view.php?id=CVE-2024-0875
15 Nov 2024 — A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1. Existe una vulnerabilidad de cross-site scripting (XSS) almacenado en la versión 7.0.1 de openemr/openemr. • https://github.com/openemr/openemr/commit/d141d2ca06fb2171a202c7302dd5d5af8539f255 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37734
https://notcve.org/view.php?id=CVE-2024-37734
26 Jun 2024 — An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter. Un problema en OpenEMR 7.0.2 permite a un atacante remoto escalar privilegios mediante una solicitud POST manipulada utilizando el parámetro noteid. • https://github.com/A3h1nt/CVEs/tree/main/OpenEMR • CWE-279: Incorrect Execution-Assigned Permissions •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 3CVE-2012-0992 – OpenEMR 4.1 - '/Interface/fax/fax_dispatch.php?File' 'exec()' Call Arbitrary Shell Command Execution
https://notcve.org/view.php?id=CVE-2012-0992
07 Feb 2012 — interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. interface/fax/fax_dispatch.php en OpenEMR v4.1.0, permite a usuarios autenticados remotamente ejecutar comandos de su elección a través de metacaracteres de linea de comandos en el parámetro file. • https://www.exploit-db.com/exploits/36651 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 4%CPEs: 1EXPL: 6CVE-2012-0991 – OpenEMR 4.1 - '/contrib/acog/print_form.php?formname' Traversal Local File Inclusion
https://notcve.org/view.php?id=CVE-2012-0991
07 Feb 2012 — Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter. Múltiples vulnerabilidades de salto de directorio en OpenEMR v4.1.0, permite a usuarios autenticados remotamente leer archivos de su elección a través de un .. (punto punto) en el parámetro formname en (1) contri... • https://www.exploit-db.com/exploits/36650 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2007-0649 – OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2007-0649
01 Feb 2007 — Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue w... • https://www.exploit-db.com/exploits/29556 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 2CVE-2006-5811 – OpenEMR 2.8.1 - 'srcdir' Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2006-5811
08 Nov 2006 — PHP remote file inclusion vulnerability in library/translation.inc.php in OpenEMR 2.8.1, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[srcdir] parameter. Vulnerabilidad de inclusión remota de archivo en PHP en library/translation.inc.php de OpenEMR 2.8.1, cuando register_globals está activado, permite a atacantes remotos ejecutar código PHP de su elección mediante una URL en el parámetro GLOBALS[srcdir]. • https://www.exploit-db.com/exploits/2727 •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 2CVE-2006-5795 – OpenEMR 2.8.1 - 'srcdir' Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2006-5795
08 Nov 2006 — Multiple PHP remote file inclusion vulnerabilities in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the srcdir parameter to (a) billing_process.php, (b) billing_report.php, (c) billing_report_xml.php, and (d) print_billing_report.php in interface/billing/; (e) login.php; (f) interface/batchcom/batchcom.php; (g) interface/login/login.php; (h) main_info.php and (i) main.php in interface/main/; (j) interface/new/new_patient_save.p... • https://www.exploit-db.com/exploits/2727 •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2006-2929 – OpenEMR 2.8.1 - 'fileroot' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2929
09 Jun 2006 — PHP remote file inclusion vulnerability in contrib/forms/evaluation/C_FormEvaluation.class.php in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[fileroot] parameter. • https://www.exploit-db.com/exploits/1886 •