Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openemr
(Open\-Emr)| Repositories | https://github.com/openemr/openemr |
| #Vulnerabilities | 137 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-02-15 | CVE-2020-29142 | A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings. | Openemr | 7.2 | ||
| 2021-02-15 | CVE-2020-29139 | A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter. | Openemr | 7.2 | ||
| 2021-02-15 | CVE-2020-29140 | A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. | Openemr | 7.2 | ||
| 2021-02-15 | CVE-2020-29143 | A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. | Openemr | 7.2 | ||
| 2021-03-22 | CVE-2021-25922 | In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code. | Openemr | 6.1 | ||
| 2021-04-13 | CVE-2020-13566 | SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection. | Openemr, Phpgacl | 8.8 | ||
| 2021-04-13 | CVE-2020-13568 | SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection. | Openemr, Phpgacl | 8.8 | ||
| 2021-05-07 | CVE-2021-32101 | The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient. | Openemr | 8.2 | ||
| 2021-05-07 | CVE-2021-32102 | A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | Openemr | 8.8 | ||
| 2021-05-07 | CVE-2021-32103 | A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | Openemr | 4.8 |