CVE-2020-11439
Description
LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EMR v2.0.0 contains a local file inclusion vulnerability allowing unauthenticated remote code execution via arbitrary PHP inclusion.
Vulnerability
LibreHealth EMR version 2.0.0 is affected by a local file inclusion (LFI) vulnerability that allows an attacker to include and execute arbitrary PHP files within the application. The issue resides in the application's handling of file inclusion parameters, enabling path traversal to include files from the server's filesystem. This vulnerability was identified by Bishop Fox and is detailed in their advisory [1]. The affected version is LibreHealth EHR 2.0.0, released September 2017 [2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the LibreHealth EMR application. The attacker does not require any prior authentication or user interaction. By manipulating file inclusion parameters, the attacker can include arbitrary PHP files from the server, potentially leading to remote code execution. The advisory notes that the LFI can be leveraged to compromise the underlying application server [1].
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full compromise of the application server. This grants access to sensitive data, including medical records and personally identifiable information (PII) stored within the application. The impact is classified as high risk, as it could result in complete loss of confidentiality, integrity, and availability of the system [1].
Mitigation
As of the publication date of the advisory, no official patched release of LibreHealth EMR v2.0.0 is available. The vendor has fixes in progress, but they have not been merged into a stable release [1]. Users are advised to monitor the LibreHealth project for updates and apply patches as soon as they become available. No workarounds are documented in the available references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/EMRdescription
- Range: =2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `url` parameter allows path traversal and inclusion of arbitrary PHP files."
Attack vector
An authenticated attacker crafts a request to `main.php` with a `url` parameter that uses path traversal (e.g., `../../sites/default/letter_templates/webshell.php`) to point to a PHP file already present on the server. The attacker first uploads a PHP web shell (leveraging a separate known vulnerability, CVE-2018-1000649) and then includes it via the LFI. The included PHP code executes in the context of the application, allowing remote command execution [ref_id=1].
Affected code
The vulnerable endpoint is `librehealthehr/interface/main/tabs/main.php`. The `url` parameter in this endpoint is not sanitized, allowing an attacker to include arbitrary PHP files from within the application's web root [ref_id=1].
What the fix does
No official patched release is available at the time of the advisory. The advisory notes that fixes are in progress and some are available as unmerged pull requests on the LibreHealth GitHub repository, but no specific patch diff is provided [ref_id=1]. The recommended remediation is to properly validate and sanitize the `url` parameter to prevent path traversal and arbitrary file inclusion.
Preconditions
- authAttacker must be an authenticated user of the LibreHealth EHR application
- inputAttacker must have a PHP file (e.g., a web shell) already present within the application's web root
- networkAttacker must be able to send HTTP requests to the vulnerable endpoint
Reproduction
1. Upload a PHP web shell (e.g., `webshell.php` containing `system($_GET['cmd']);`) to a location within the application's web root, such as `sites/default/letter_templates/`. 2. As an authenticated user, send a request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- know.bishopfox.com/advisoriesmitrex_refsource_MISC
- labs.bishopfox.com/advisories/librehealth-version-2.0.0-0mitrex_refsource_MISC
- librehealth.iomitrex_refsource_MISC
News mentions
0No linked articles in our index yet.