CVE-2020-11438
Description
LibreHealth EMR v2.0.0 is affected by systemic CSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR v2.0.0 contains a systemic CSRF vulnerability allowing unauthenticated attackers to perform actions on behalf of authenticated users.
Vulnerability
LibreHealth EHR v2.0.0 is affected by a systemic cross-site request forgery (CSRF) vulnerability. The application lacks CSRF tokens on multiple endpoints, enabling an attacker to craft requests that execute actions on behalf of an authenticated user. This issue was identified by Bishop Fox and is one of five high-risk vulnerabilities in the release [1]. The affected version is the latest stable release as of September 2017 [2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by tricking an authenticated user into visiting a malicious page or clicking a crafted link. The attacker does not require any prior authentication or special network position. The victim must be logged into the LibreHealth EHR application while the crafted request is triggered. The attacker can then force the victim's browser to submit arbitrary requests, such as modifying patient records, creating new users, or chaining with other vulnerabilities like local file inclusion or SQL injection [1].
Impact
Successful exploitation allows the attacker to perform any action that the victim user is authorized to do, including accessing, modifying, or deleting sensitive medical records and personally identifiable information (PII). Because the application stores highly sensitive health data, this CSRF vulnerability can lead to full compromise of patient confidentiality and data integrity. The attacker can also leverage the victim's session to execute other high-risk attacks, such as local file inclusion or SQL injection, potentially compromising the underlying server [1].
Mitigation
As of the advisory publication date (July 2020), no official patched release of LibreHealth EHR was available. Fixes were in progress but had not been merged into the main codebase [1]. Users should monitor the LibreHealth project website [2] for updates and apply patches as soon as they are released. No workarounds were documented in the available references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/EMRdescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF token validation on all POST requests allows arbitrary origins to submit state-changing requests."
Attack vector
An attacker hosts a phishing page that, when visited by an authenticated LibreHealth EHR user, sends cross-origin POST requests to the application. The application accepts these requests because it does not validate any anti-CSRF token or origin header [ref_id=1]. The advisory demonstrates chaining this CSRF with an insecure file upload endpoint (letter.php) to upload a PHP reverse shell via a path traversal payload in the form_template parameter, then calling the uploaded shell to achieve remote code execution [ref_id=1].
Affected code
The advisory states the CSRF vulnerability is systemic across the entire LibreHealth EHR v2.0.0 application, affecting all POST requests [ref_id=1]. The specific endpoint demonstrated in the proof-of-concept is /librehealthehr/interface/patient_file/letter.php with formaction=savetemplate [ref_id=1]. No patch files are provided in the bundle.
What the fix does
The advisory does not include a patch or specific remediation code. It identifies the vulnerability as systemic CSRF affecting all POST requests in LibreHealth EHR v2.0.0 [ref_id=1]. The recommended fix would be to implement anti-CSRF tokens on all state-changing POST endpoints and validate the Origin or Referer header to reject requests from untrusted origins.
Preconditions
- authThe victim must be authenticated to LibreHealth EHR with an active session cookie.
- networkThe attacker must host a phishing page reachable by the victim (e.g., on the local filesystem or a malicious website).
- inputThe attacker crafts a POST request with a path traversal payload in the form_template parameter to upload a PHP shell to the web root.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- know.bishopfox.com/advisoriesmitrex_refsource_MISC
- labs.bishopfox.com/advisories/librehealth-version-2.0.0-0mitrex_refsource_MISC
- librehealth.iomitrex_refsource_MISC
News mentions
0No linked articles in our index yet.