Openclinica
by Openclinica
CVEs (37)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-27240 | 0.00 | — | 0.01 | Apr 19, 2021 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The componentStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2020-27239 | 0.00 | — | 0.01 | Apr 15, 2021 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2020-27238 | 0.00 | — | 0.01 | Apr 15, 2021 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2020-27237 | 0.00 | — | 0.01 | Apr 15, 2021 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP… | |||
| CVE-2020-27235 | 0.00 | — | 0.01 | Apr 13, 2021 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2020-27233 | 0.00 | — | 0.01 | Apr 13, 2021 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2020-28939 | 0.00 | — | 0.02 | Dec 3, 2020 | OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the… | |||
| CVE-2020-28938 | 0.00 | — | 0.01 | Dec 3, 2020 | OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users. | |||
| CVE-2020-28937 | 0.00 | — | 0.01 | Dec 3, 2020 | OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request… | |||
| CVE-2020-14487 | 0.00 | — | 0.02 | Jul 29, 2020 | OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands. | |||
| CVE-2020-14492 | 0.00 | — | 0.01 | Jul 29, 2020 | OpenClinic GA 5.09.02 and 5.89.05b does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user’s browser. | |||
| CVE-2020-14493 | 0.00 | — | 0.02 | Jul 29, 2020 | A low-privilege user may use SQL syntax to write arbitrary files to the OpenClinic GA 5.09.02 and 5.89.05b server, which may allow the execution of arbitrary commands. | |||
| CVE-2020-14489 | 0.00 | — | 0.01 | Jul 29, 2020 | OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques. | |||
| CVE-2020-14491 | 0.00 | — | 0.01 | Jul 20, 2020 | OpenClinic GA versions 5.09.02 and 5.89.05b do not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information. | |||
| CVE-2020-14494 | 0.00 | — | 0.01 | Jul 20, 2020 | OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number… | |||
| CVE-2020-14484 | 0.00 | — | 0.01 | Jul 20, 2020 | OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass the system’s account lockout protection, which may allow brute force password attacks. | |||
| CVE-2020-14485 | 0.00 | — | 0.03 | Jul 20, 2020 | OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries. |
- CVE-2020-27240Apr 19, 2021risk 0.00cvss —epss 0.01
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The componentStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this…
- CVE-2020-27239Apr 15, 2021risk 0.00cvss —epss 0.01
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this…
- CVE-2020-27238Apr 15, 2021risk 0.00cvss —epss 0.01
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2020-27237Apr 15, 2021risk 0.00cvss —epss 0.01
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP…
- CVE-2020-27235Apr 13, 2021risk 0.00cvss —epss 0.01
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2020-27233Apr 13, 2021risk 0.00cvss —epss 0.01
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2020-28939Dec 3, 2020risk 0.00cvss —epss 0.02
OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the…
- CVE-2020-28938Dec 3, 2020risk 0.00cvss —epss 0.01
OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users.
- CVE-2020-28937Dec 3, 2020risk 0.00cvss —epss 0.01
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request…
- CVE-2020-14487Jul 29, 2020risk 0.00cvss —epss 0.02
OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands.
- CVE-2020-14492Jul 29, 2020risk 0.00cvss —epss 0.01
OpenClinic GA 5.09.02 and 5.89.05b does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user’s browser.
- CVE-2020-14493Jul 29, 2020risk 0.00cvss —epss 0.02
A low-privilege user may use SQL syntax to write arbitrary files to the OpenClinic GA 5.09.02 and 5.89.05b server, which may allow the execution of arbitrary commands.
- CVE-2020-14489Jul 29, 2020risk 0.00cvss —epss 0.01
OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques.
- CVE-2020-14491Jul 20, 2020risk 0.00cvss —epss 0.01
OpenClinic GA versions 5.09.02 and 5.89.05b do not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information.
- CVE-2020-14494Jul 20, 2020risk 0.00cvss —epss 0.01
OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number…
- CVE-2020-14484Jul 20, 2020risk 0.00cvss —epss 0.01
OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass the system’s account lockout protection, which may allow brute force password attacks.
- CVE-2020-14485Jul 20, 2020risk 0.00cvss —epss 0.03
OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries.
Page 2 of 2