CVE-2020-11437
Description
LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EMR v2.0.0 has an SQL injection that lets low-privilege users enumerate the database.
Vulnerability
LibreHealth EMR v2.0.0 is affected by a SQL injection vulnerability in the application's backend. The issue allows low-privilege authenticated users to inject arbitrary SQL queries, leading to database enumeration. The vulnerable version is LibreHealth EHR v2.0.0, released September 2017 [1]. The official project website is librehealth.io [2].
Exploitation
An attacker must have a low-privilege authenticated account on the LibreHealth EMR application to exploit this vulnerability. The SQL injection occurs in a web request parameter that is not properly sanitized before being used in a database query. No special network position or user interaction beyond authentication is required [1].
Impact
Successful exploitation allows the attacker to enumerate the database contents, which includes highly sensitive medical records and personally identifiable information (PII). The Bishop Fox advisory categorizes this as a high-risk vulnerability leading to sensitive data disclosure [1].
Mitigation
As of the Bishop Fox advisory publication date, no official patched release was available. The vendor indicated fixes were in progress, with some unmerged pull requests available. Users should monitor the LibreHealth project for a patched version. No workaround is documented in the provided references [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/EMRdescription
- Range: =2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsafe SQL string building in interface/patient_file/letter.php directly interpolates user-supplied POST parameters into SQL queries without sanitization or parameterization."
Attack vector
An attacker authenticates as a low-privilege user (e.g., the Front Desk group) and sends a POST request to `/librehealthehr/interface/patient_file/letter.php`. The `form_from` and `form_to` POST parameters are vulnerable to SQL injection. By injecting a payload such as `7' AND (select sleep(12)) #` into `form_from`, the attacker causes a time delay, confirming the injection. The attacker can then use automated tools like sqlmap to extract the entire MySQL database, including medical records and user credentials [ref_id=1].
Affected code
The vulnerable code is in `interface/patient_file/letter.php`. Unsafe SQL string building occurs at lines 104–105, where the `$form_from` and `$form_to` POST parameters are interpolated directly into SQL queries without sanitization or parameterization [ref_id=1].
What the fix does
The advisory does not provide a patch or fix commit. The remediation guidance is implicit: the application should use parameterized queries (prepared statements) or properly escape user-supplied input before including it in SQL statements. Without a fix, the unsafe string concatenation at lines 104–105 of `interface/patient_file/letter.php` remains exploitable [ref_id=1].
Preconditions
- authAttacker must be an authenticated user of the LibreHealth EMR application (any privilege level, including low-privilege Front Desk group).
- networkAttacker must be able to send HTTP POST requests to the /librehealthehr/interface/patient_file/letter.php endpoint.
- inputThe form_from and form_to POST parameters accept arbitrary attacker-controlled strings.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- know.bishopfox.com/advisoriesmitrex_refsource_MISC
- labs.bishopfox.com/advisories/librehealth-version-2.0.0-0mitrex_refsource_MISC
- librehealth.iomitrex_refsource_MISC
News mentions
0No linked articles in our index yet.