CVE-2018-1000650

Vulnerability

An authenticated SQL injection vulnerability exists in LibreHealthIO lh-ehr version REL-2.0.0. The issue is located in show_groups_popup.php at lines 51-52, where the GET parameter layout_id is directly concatenated into a SQL query without sanitization [1][2]. The vulnerable code constructs a query using $_GET['layout_id'] and executes it via sqlStatement(). An attacker must be authenticated to reach this code path.

Exploitation

An attacker with a valid authenticated session can exploit this vulnerability by providing a malicious payload in the layout_id parameter. The attacker can inject arbitrary SQL commands, which will be executed against the database. The exploit requires no special privileges beyond basic user authentication [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to complete compromise of the database. This includes the ability to read, modify, or delete sensitive data, as well as potentially escalate privileges or gain further access to the application [1][2].

Mitigation

As of the disclosure timeline (August 2018), no fix has been released [1]. The recommended mitigation is to use parameterized queries or prepared statements instead of string concatenation. Until a patch is available, administrators should limit user access and monitor for suspicious activity.