VYPR

Openemr

by Openemr

Source repositories

CVEs (217)

  • CVE-2021-40352Sep 1, 2021
    risk 0.03cvss epss 0.10

    OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.

  • CVE-2019-8368Sep 16, 2019
    risk 0.03cvss epss 0.47

    OpenEMR v5.0.1-6 allows XSS.

  • CVE-2018-9250HigMay 18, 2018
    risk 0.03cvss 8.8epss 0.32

    interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter.

  • CVE-2014-5462Dec 8, 2014
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) layout_id parameter to interface/super/edit_layout.php; (2) form_patient_id, (3) form_drug_name, or (4) form_lot_number…

  • CVE-2013-4620Aug 9, 2013
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in interface/main/onotes/office_comments_full.php in OpenEMR 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the note parameter.

  • CVE-2012-2115Sep 9, 2012
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the u parameter.

  • CVE-2011-5161Sep 9, 2012
    risk 0.03cvss epss 0.02

    Unrestricted file upload vulnerability in the patient photograph functionality in OpenEMR 4 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the patient…

  • CVE-2011-5160Sep 9, 2012
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in setup.php in OpenEMR 4 allows remote attackers to inject arbitrary web script or HTML via the site parameter.

  • CVE-2012-0992Feb 7, 2012
    risk 0.03cvss epss 0.04

    interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter.

  • CVE-2007-0649Feb 1, 2007
    risk 0.03cvss epss 0.06

    Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in…

  • CVE-2006-5811Nov 8, 2006
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in library/translation.inc.php in OpenEMR 2.8.1, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[srcdir] parameter.

  • CVE-2006-5795Nov 8, 2006
    risk 0.03cvss epss 0.03

    Multiple PHP remote file inclusion vulnerabilities in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the srcdir parameter to (a) billing_process.php, (b) billing_report.php, (c)…

  • CVE-2006-2929Jun 9, 2006
    risk 0.03cvss epss 0.06

    PHP remote file inclusion vulnerability in contrib/forms/evaluation/C_FormEvaluation.class.php in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[fileroot] parameter.

  • CVE-2019-3966Aug 20, 2019
    risk 0.02cvss epss 0.01

    In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.

  • CVE-2019-3965Aug 20, 2019
    risk 0.02cvss epss 0.01

    In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.

  • CVE-2019-3963Aug 20, 2019
    risk 0.02cvss epss 0.54

    In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.

  • CVE-2019-14529Aug 2, 2019
    risk 0.02cvss epss 0.28

    OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.

  • CVE-2025-31121Apr 1, 2025
    risk 0.01cvss epss 0.12

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 7.0.3.1, the Patient Image feature in OpenEMR is vulnerable to cross-site scripting attacks via the EXIF title in an image. This vulnerability is fixed in 7.0.3.1.

  • CVE-2025-30161Mar 31, 2025
    risk 0.01cvss epss 0.06

    OpenEMR is a free and open source electronic health records and medical practice management application. A stored XSS vulnerability in the Bronchitis form component of OpenEMR allows anyone who is able to edit a bronchitis form to steal credentials from administrators. This…

  • CVE-2019-3964Aug 20, 2019
    risk 0.01cvss epss 0.54

    In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.

Page 3 of 11