CVE-2015-4453

Severity Score

5.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2) interface/billing/sl_eob_search.php.

interface/globals.php en OpenEMR 2.x, 3.x y 4.x en versiones anteriores a 4.2.0 patch 2 permite a atacantes remotos eludir la autenticación y obtener información sensible a través de un valor ignoreAuth=1 a ciertas secuencias, como se demuestra por (1) interface/fax/fax_dispatch_newpid.php y (2) interface/billing/sl_eob_search.php.

*Credits: N/A

CVSS Scores

NISTv2 5.0

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-06-09 CVE Reserved
2015-06-19 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (6)

URL	Tag	Source
http://packetstormsecurity.com/files/132368/OpenEMR-4.2.0-Authentication-Bypass.html	X_refsource_misc
http://seclists.org/fulldisclosure/2015/Jun/48	Mailing List
http://www.securityfocus.com/bid/75299	Vdb Entry

URL	Date	SRC

URL	Date	SRC
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches	2016-12-07

URL	Date	SRC
http://jvn.jp/en/jp/JVN22677713/index.html	2016-12-07
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000092	2016-12-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				2.8.3 Search vendor "Open-emr" for product "Openemr" and version "2.8.3"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				2.9.0 Search vendor "Open-emr" for product "Openemr" and version "2.9.0"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				3.0.1 Search vendor "Open-emr" for product "Openemr" and version "3.0.1"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				3.1.0 Search vendor "Open-emr" for product "Openemr" and version "3.1.0"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				3.2.0 Search vendor "Open-emr" for product "Openemr" and version "3.2.0"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				4.0.0 Search vendor "Open-emr" for product "Openemr" and version "4.0.0"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				4.1.0 Search vendor "Open-emr" for product "Openemr" and version "4.1.0"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				4.1.1 Search vendor "Open-emr" for product "Openemr" and version "4.1.1"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				4.1.2 Search vendor "Open-emr" for product "Openemr" and version "4.1.2"		-		Affected
Open-emr Search vendor "Open-emr"		Openemr Search vendor "Open-emr" for product "Openemr"				4.2.0 Search vendor "Open-emr" for product "Openemr" and version "4.2.0"		-		Affected