| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo. This finding involves client-side DOM-based rendering via jQuery .html() in a completely different component (portal/sign/assets/signer_api.js). The two share the same root cause (unsanitized patient names in patient_data), but they have different sinks, different affected components, different trigger actions, and require independent fixes. This vulnerability is fixed in 8.0.0.1. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does not enforce the same ACL as the main billing/claims workflow, so authenticated users without appropriate billing permissions can access this data. This vulnerability is fixed in 8.0.0.1. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers — alerts, ajax, edit, add, detail, browse — accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations — all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1. |
| OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. The variable `$data` is passed in a click event handler enclosed in single quotes without proper sanitization. Thus, despite `json_encode` a malicious user can still inject a payload such as ` ac' ><img src=x onerror=alert(document.cookie)> ` to trigger the bug. This vulnerability allows low privileged users to embed malicious JS payloads on the server and perform stored XSS attack. This, in turn makes it possible for malicious users to steal the session cookies and perform unauthorized actions impersonating administrators. Version 7.0.4 patches the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/TLS certificate verification by default (`verify: false`), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent via Secure Messaging, clicking the link opens the website within the OpenEMR/Portal site. This behavior could be exploited for phishing. Version 7.0.4 patches the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. |
| OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the (1) Text Box fields of Address, Address Line 2, Postal Code and City fields and (2) Drop Down menu options of Address Use, State and Country of the Additional Addresses section of the Contact tab in Patient Demographics. The injected script can execute in two scenarios: (1) dynamically during form input, and (2) when the form data is later loaded for editing. Version 7.0.3.4 contains a patch for the issue. |
| An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter. |
| Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter. |
| interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. |
