CVE-2022-31496
Description
LibreHealth EHR Base 2.0.0 allows incorrect interface/super/manage_site_files.php access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR 2.0.0 allows authenticated users to access the super admin's manage_site_files.php and modify files, leading to remote code execution.
Vulnerability
In LibreHealth EHR Base version 2.0.0 (REL-2_0_0, released November 2017) the endpoint interface/super/manage_site_files.php is accessible to any authenticated user without proper authorization checks. The official description states that the vulnerability allows "incorrect interface/super/manage_site_files.php access," and the advisory [1] confirms that "any user or admin can access the functionality for super admin page and change some files." The page is intended only for super administrators but no role verification is performed.
Exploitation
An attacker must have a valid user account (any role—regular user or admin) on the LibreHealth EHR instance, giving them access to the application's web interface [1]. They then navigate to librehealth_host/interface/super/manage_site_files.php and can browse and modify a set of PHP files on the server. The advisory notes that modifying custom_pdf.php is the safest target to avoid breaking the site. The attacker injects arbitrary PHP code—for example a web shell—into the selected file and saves the changes [1]. The injected code is then accessible at sites/default/letter_templates/custom_pdf.php (or the corresponding path for other modified files). No special user interaction or race condition is required.
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the server with the privileges of the web server user [1]. The attacker can perform any server-side operation—read, write, or delete files; execute system commands; access databases; or pivot to other internal systems. This represents a full compromise of confidentiality, integrity, and availability (CIA) of the LibreHealth EHR instance and potentially the underlying host.
Mitigation
No official patch or fixed version has been released for CVE-2022-31496 as of the available references [1][2]. The latest tagged version in the repository is REL-2_0_0 from November 2017 [2], and no newer security release is indicated. Until a fix is available, administrators should restrict access to interface/super/manage_site_files.php using web server access controls (e.g., .htaccess or firewall rules) to only trusted super admin IP addresses. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations running LibreHealth EHR should monitor for future updates.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHR Basedescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access-control check on the super-admin page allows any authenticated user to modify server-side PHP files."
Attack vector
An attacker who is already authenticated as any user (not necessarily a super-admin) can navigate directly to `interface/super/manage_site_files.php` because no access-control check is enforced on that endpoint [ref_id=1]. From there, the attacker selects a writable PHP file—the advisory recommends `custom_pdf.php` to avoid breaking the site—and injects malicious PHP code [ref_id=1]. After saving, the attacker accesses the injected file at `sites/default/letter_templates/custom_pdf.php` to achieve remote code execution [ref_id=1].
Affected code
The vulnerable endpoint is `interface/super/manage_site_files.php` [ref_id=1]. This page is intended for super-admin use only but is accessible to any user or admin without proper authorization checks [ref_id=1]. An attacker can modify files such as `custom_pdf.php` (located under `sites/default/letter_templates/`) to inject arbitrary PHP code [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. To close the vulnerability, the application must enforce proper authorization checks on `interface/super/manage_site_files.php` so that only users with super-admin privileges can access it [ref_id=1]. Without such a check, any authenticated user can reach functionality that allows modification of server-side PHP files, leading to remote code execution [ref_id=1].
Preconditions
- authAttacker must be authenticated as any user (including regular users or admins) in the LibreHealth EHR application.
- networkThe vulnerable endpoint `interface/super/manage_site_files.php` must be reachable over HTTP/HTTPS.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.