VYPR

Vendor CVEs

Openemr

All CVEs

217 total · sorted by risk
  • CVE-2019-17409Oct 21, 2019
    risk 0.00cvss epss 0.01

    Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.

  • CVE-2019-17197Oct 5, 2019
    risk 0.00cvss epss 0.01

    OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.

  • CVE-2019-8371Sep 16, 2019
    risk 0.00cvss epss 0.03

    OpenEMR v5.0.1-6 allows code execution.

  • CVE-2018-17181May 17, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.

  • CVE-2018-17180May 17, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.

  • CVE-2018-18035Apr 2, 2019
    risk 0.00cvss epss 0.01

    A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

  • CVE-2018-15151HigAug 15, 2018
    risk 0.00cvss 8.8epss 0.02

    SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.

  • CVE-2018-15150HigAug 15, 2018
    risk 0.00cvss 8.8epss 0.02

    SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in…

  • CVE-2018-15149HigAug 15, 2018
    risk 0.00cvss 8.8epss 0.02

    SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter.

  • CVE-2018-15148HigAug 15, 2018
    risk 0.00cvss 8.8epss 0.02

    SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter.

  • CVE-2018-15147HigAug 15, 2018
    risk 0.00cvss 8.8epss 0.02

    SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter.

  • CVE-2018-15146HigAug 15, 2018
    risk 0.00cvss 8.8epss 0.02

    SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.

  • CVE-2018-10573HigApr 30, 2018
    risk 0.00cvss 8.8epss 0.03

    interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter.

  • CVE-2018-10572MedApr 30, 2018
    risk 0.00cvss 6.5epss 0.02

    interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters.

  • CVE-2018-10571MedApr 30, 2018
    risk 0.00cvss 6.1epss 0.02

    Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to…

  • CVE-2015-4453Jul 5, 2015
    risk 0.00cvss epss 0.03

    interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2)…

  • CVE-2013-4619Aug 9, 2013
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php.

Page 5 of 5