Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openemr
(Open\-Emr)| Repositories | https://github.com/openemr/openemr |
| #Vulnerabilities | 129 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-05-07 | CVE-2021-32102 | A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | Openemr | 8.8 | ||
| 2021-05-07 | CVE-2021-32103 | A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | Openemr | 4.8 | ||
| 2021-05-07 | CVE-2021-32104 | A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. | Openemr | 8.8 | ||
| 2021-06-24 | CVE-2021-25923 | In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover. | Openemr | 8.1 | ||
| 2021-09-01 | CVE-2021-40352 | OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users. | Openemr | 6.5 | ||
| 2021-12-17 | CVE-2021-41843 | An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI. | Openemr | 6.5 | ||
| 2022-03-03 | CVE-2022-25471 | An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register. | Openemr | 8.1 | ||
| 2022-03-23 | CVE-2022-25041 | OpenEMR v6.0.0 was discovered to contain an incorrect access control issue. | Openemr | 4.3 | ||
| 2022-03-25 | CVE-2022-24643 | A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0. | Openemr | 5.4 | ||
| 2022-03-30 | CVE-2022-1177 | Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0. | Openemr | 4.3 |