VYPR

Openclinica

by Openclinica

CVEs (37)

  • CVE-2020-27240Apr 19, 2021
    risk 0.00cvss epss 0.01

    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The componentStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this…

  • CVE-2020-27239Apr 15, 2021
    risk 0.00cvss epss 0.01

    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this…

  • CVE-2020-27238Apr 15, 2021
    risk 0.00cvss epss 0.01

    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2020-27237Apr 15, 2021
    risk 0.00cvss epss 0.01

    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP…

  • CVE-2020-27235Apr 13, 2021
    risk 0.00cvss epss 0.01

    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2020-27233Apr 13, 2021
    risk 0.00cvss epss 0.01

    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2020-28939Dec 3, 2020
    risk 0.00cvss epss 0.02

    OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the…

  • CVE-2020-28938Dec 3, 2020
    risk 0.00cvss epss 0.01

    OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users.

  • CVE-2020-28937Dec 3, 2020
    risk 0.00cvss epss 0.01

    OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request…

  • CVE-2020-14487Jul 29, 2020
    risk 0.00cvss epss 0.02

    OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands.

  • CVE-2020-14492Jul 29, 2020
    risk 0.00cvss epss 0.01

    OpenClinic GA 5.09.02 and 5.89.05b does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user’s browser.

  • CVE-2020-14493Jul 29, 2020
    risk 0.00cvss epss 0.02

    A low-privilege user may use SQL syntax to write arbitrary files to the OpenClinic GA 5.09.02 and 5.89.05b server, which may allow the execution of arbitrary commands.

  • CVE-2020-14489Jul 29, 2020
    risk 0.00cvss epss 0.01

    OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques.

  • CVE-2020-14491Jul 20, 2020
    risk 0.00cvss epss 0.01

    OpenClinic GA versions 5.09.02 and 5.89.05b do not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information.

  • CVE-2020-14494Jul 20, 2020
    risk 0.00cvss epss 0.01

    OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number…

  • CVE-2020-14484Jul 20, 2020
    risk 0.00cvss epss 0.01

    OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass the system’s account lockout protection, which may allow brute force password attacks.

  • CVE-2020-14485Jul 20, 2020
    risk 0.00cvss epss 0.03

    OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries.

Page 2 of 2