CVE-2022-29938
Description
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\payment_master.inc.php leads to SQL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In LibreHealth EHR 2.0.0, unsanitized payment_id parameter leads to SQL injection in new_payment.php.
Vulnerability
In LibreHealth EHR 2.0.0, the payment_id GET parameter in interface/billing/new_payment.php is passed without sanitization to interface/billing/payment_master.inc.php, where it is used in a SQL query: select pay_total,global_amount from ar_session where session_id='$payment_id' [1]. This allows SQL injection.
Exploitation
An attacker with authenticated access can send a crafted HTTP GET request to /interface/billing/new_payment.php with a malicious payment_id parameter, such as 1'and(extractvalue(0x0a,concat(0x0a,(user()))))--+a [1]. The injected SQL is executed directly.
Impact
Successful exploitation leads to unauthorized reading or modification of the database, potentially exposing sensitive patient health information or compromising system integrity.
Mitigation
No official patch has been released as of the publication date [1]. The vendor has not addressed this issue in subsequent releases (the latest tag is from July 2021). Until a fix is available, users should restrict network access to the application and apply input validation manually.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHRdescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Lack of sanitization of the GET parameter payment_id allows SQL injection."
Attack vector
An authenticated attacker can inject SQL by manipulating the `payment_id` GET parameter in the URL `interface/billing/new_payment.php`. The unsanitized value is passed directly into a SQL query in `payment_master.inc.php` at line 77, where it is embedded in single quotes within the query string. The researcher's proof-of-concept demonstrates injecting a time-based or error-based payload (e.g., `1'and(extractvalue(0x0a,concat(0x0a,(user()))))--+a`) to extract database information [ref_id=1].
Affected code
The vulnerable code is in `interface/billing/payment_master.inc.php` at line 77, where the `$payment_id` parameter is directly interpolated into a SQL query without sanitization. The parameter is captured from user input in `interface/billing/new_payment.php` at line 49 via `$_REQUEST['payment_id']` [ref_id=1].
What the fix does
The advisory states that both files should sanitize their parameters, but no patch is provided in the bundle. The recommended remediation is to use parameterized queries or properly escape the `$payment_id` value before including it in the SQL statement, preventing an attacker from injecting arbitrary SQL syntax [ref_id=1].
Preconditions
- authAttacker must be authenticated (the advisory states 'All this vulnerabilities needs authorization')
- networkAttacker must be able to send HTTP GET requests to the vulnerable endpoint
- inputThe payment_id parameter must be present in the request
Reproduction
Send an authenticated GET request to `http://librehealth_host/interface/billing/new_payment.php?payment_id=1%27and(extractvalue(0x0a,concat(0x0a,(user()))))--+a`. The injected payload triggers an SQL error that reveals the database user, confirming the injection [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.