Security advisories
Vulnerabilities discovered by the Sofistic team
OpenEMR – Broken Access Controls in Patient’s Document Section (CVE-2022-4567)
by Manuel Ginés |
An authenticated user with no permissions to access “document” section has the ability to direct access any document in the system by manipulating the patient_id and document_id parameters in the url. The autoincrement identifier was also susceptible of being bruteforced for both parameters, lowering the difficulty of finding valid documents. The second instance allowed unprivileged users to upload files to any user repository.
OpenEMR – File Upload Content-Type Validation Error (CVE-2022-4506)
by Manuel Ginés |
The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending an invalid content-type. This could be used by an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.
OpenEMR – Reflected Cross-Site Scripting in Payments Module (CVE-2022-4503)
by Manuel Ginés |
The credit card payment script was not properly encoding the “cardHolderName” and “zip” parameters, allowing users to inject unparsed HTML code in the server response.
OpenEMR – Improper Name Validation in Document Uploads (CVE-2022-4505)
by Manuel Ginés |
The name of any uploaded document can be manipulated, using the “destination” parameter, to include newline characters in its name. This situation can be abused to break the execution of JS code in “Documents” section, leaving it unusable until malicious register is removed from DB.
OpenEMR – Multiple Reflected Cross-Site Scripting in Messages Module (CVE-2022-4502)
by Manuel Ginés |
The message module was affected by two cases of Cross-Site Scripting (XSS). The first involved the “stage” parameter using the “setup” functionality. The other bug was carried out using the parameter called “parameter” in the post data for the message saving functionality, which reflected the payload while returning an HTML content type.