Openemr
by Openemr
Source repositories
CVEs (217)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-17409 | 0.00 | — | 0.01 | Oct 21, 2019 | Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter. | |||
| CVE-2019-17197 | 0.00 | — | 0.01 | Oct 5, 2019 | OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc. | |||
| CVE-2019-8371 | 0.00 | — | 0.03 | Sep 16, 2019 | OpenEMR v5.0.1-6 allows code execution. | |||
| CVE-2018-17181 | 0.00 | — | 0.01 | May 17, 2019 | An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php. | |||
| CVE-2018-17180 | 0.00 | — | 0.02 | May 17, 2019 | An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php. | |||
| CVE-2018-18035 | 0.00 | — | 0.01 | Apr 2, 2019 | A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. | |||
| CVE-2018-15151 | Hig | 0.00 | 8.8 | 0.02 | Aug 15, 2018 | SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. | ||
| CVE-2018-15150 | Hig | 0.00 | 8.8 | 0.02 | Aug 15, 2018 | SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in… | ||
| CVE-2018-15149 | Hig | 0.00 | 8.8 | 0.02 | Aug 15, 2018 | SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter. | ||
| CVE-2018-15148 | Hig | 0.00 | 8.8 | 0.02 | Aug 15, 2018 | SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter. | ||
| CVE-2018-15147 | Hig | 0.00 | 8.8 | 0.02 | Aug 15, 2018 | SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter. | ||
| CVE-2018-15146 | Hig | 0.00 | 8.8 | 0.02 | Aug 15, 2018 | SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. | ||
| CVE-2018-10573 | Hig | 0.00 | 8.8 | 0.03 | Apr 30, 2018 | interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter. | ||
| CVE-2018-10572 | Med | 0.00 | 6.5 | 0.02 | Apr 30, 2018 | interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters. | ||
| CVE-2018-10571 | Med | 0.00 | 6.1 | 0.02 | Apr 30, 2018 | Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to… | ||
| CVE-2015-4453 | 0.00 | — | 0.03 | Jul 5, 2015 | interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2)… | |||
| CVE-2013-4619 | 0.00 | — | 0.01 | Aug 9, 2013 | Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php. |
- CVE-2019-17409Oct 21, 2019risk 0.00cvss —epss 0.01
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
- CVE-2019-17197Oct 5, 2019risk 0.00cvss —epss 0.01
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
- CVE-2019-8371Sep 16, 2019risk 0.00cvss —epss 0.03
OpenEMR v5.0.1-6 allows code execution.
- CVE-2018-17181May 17, 2019risk 0.00cvss —epss 0.01
An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.
- CVE-2018-17180May 17, 2019risk 0.00cvss —epss 0.02
An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.
- CVE-2018-18035Apr 2, 2019risk 0.00cvss —epss 0.01
A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
- risk 0.00cvss 8.8epss 0.02
SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.
- risk 0.00cvss 8.8epss 0.02
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in…
- risk 0.00cvss 8.8epss 0.02
SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter.
- risk 0.00cvss 8.8epss 0.02
SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter.
- risk 0.00cvss 8.8epss 0.02
SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter.
- risk 0.00cvss 8.8epss 0.02
SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.
- risk 0.00cvss 8.8epss 0.03
interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter.
- risk 0.00cvss 6.5epss 0.02
interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters.
- risk 0.00cvss 6.1epss 0.02
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to…
- CVE-2015-4453Jul 5, 2015risk 0.00cvss —epss 0.03
interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2)…
- CVE-2013-4619Aug 9, 2013risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php.
Page 11 of 11