• Success cases
  • Contact
  • English
    • Español (Spanish)
Sofistic Cybersecurity
  • Atlantis SOC
  • Managed Security Services
    • Exabeam
    • Darktrace
    • Crowdstrike
    • Microsoft Security
  • UareSAFE
  • Pentest
    • Infrastructure penetration testing
    • Telework safety audit
    • Source Code Audit
    • Social Engineering Audit
    • WiFi Network Audit
    • DDos Test
  • Blog
Select Page
  • Group 1
    • Facility Management Systems
      • Property management software
      • Sustainability Management
      • Coordination of Business Activities
    • Field Services Solutions
      • Task Management and Automation
      • Cleaning services management
    • Custom Development
      • Cloud Software Solutions
  • Group 2
    • Microsoft Business Management Software
      • ERP for Distribution
      • ERP for Textile
    • Optimization Solutions
      • Invoice System
  • Group 3
    • Sofistic Cibersecurity
      • Security Operations Center 24x7 (SOC)
      • Security Audit
      • MSSP: Managed Security Service Provider (Darktrace, Crowdstrike, Exabeam)
      • Microsoft Security
      • Mobile Threat Defense + VPN (UareSAFE)
  • Group 4
    • Be Cuatroochenter
      • Insights
      • Ecosystem
      • Work at Cuatroochenta
      • Investors
      • Press Area

Security advisories

Vulnerabilities discovered by the Sofistic team

OpenEMR – Broken Access Controls in Patient’s Document Section (CVE-2022-4567)

by Manuel Ginés |

An authenticated user with no permissions to access “document” section has the ability to direct access any document in the system by manipulating the patient_id and document_id parameters in the url. The autoincrement identifier was also susceptible of being bruteforced for both parameters, lowering the difficulty of finding valid documents. The second instance allowed unprivileged users to upload files to any user repository.

OpenEMR – File Upload Content-Type Validation Error (CVE-2022-4506)

by Manuel Ginés |

The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending an invalid content-type. This could be used by an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

OpenEMR – Reflected Cross-Site Scripting in Payments Module (CVE-2022-4503)

by Manuel Ginés |

The credit card payment script was not properly encoding the “cardHolderName” and “zip” parameters, allowing users to inject unparsed HTML code in the server response.

OpenEMR – Improper Name Validation in Document Uploads (CVE-2022-4505)

by Manuel Ginés |

The name of any uploaded document can be manipulated, using the “destination” parameter, to include newline characters in its name. This situation can be abused to break the execution of JS code in “Documents” section, leaving it unusable until malicious register is removed from DB.

OpenEMR – Multiple Reflected Cross-Site Scripting in Messages Module (CVE-2022-4502)

by Manuel Ginés |

The message module was affected by two cases of Cross-Site Scripting (XSS). The first involved the “stage” parameter using the “setup” functionality. The other bug was carried out using the parameter called “parameter” in the post data for the message saving functionality, which reflected the payload while returning an HTML content type.

ISO 27001 Sofistic
Certificación ENS Sofistic

Sofistic is a company that offers solutions designed for the different maturity levels of any entity. The company has a wide experience achieved in minimizing risk, maximizing protection and response, without compromising the business efficiency.

Founded in 2009, Sofistic has offices in 6 countries on 2 continents, strongly positioned after working with more than 50 banks and critical sectors such as governments, telecommunications companies or critical infrastructures.

Both the employees and the company have a wide range of security certifications, such as ENS or ISO27001.

Legal notice

Sofistic USA
4804 Page Creek Lane – Research Triangle Park
Durham/Raleigh – NC
Sofistic Spain
Universitat Jaume I, Edificio Espaitec 2 (planta 4)
Avda. Sos Baynat s/n
12071 Castellón
Sofistic Colombia
Cra. 12A Nº 77A-52
Oficina 505
Bogotá D.C.
+57 350 859 1530

Sofistic Panamá
Calle 55 Este, PH SFC Tower, 23A
Panamá City
Tel: +507 395-4570

Sofistic Dominican Republic
Avda Winston Churchill, Torre Citi
Planta 8, Piantini
Santo Domingo
Tel: +1 (809) 467-8154

Sofistic Costa Rica
SIGMA Business Center

Republic Workspace, Torre A, Piso 2.Calle 49, Alameda, San José, Costa Rica

Tel: +506 7020-0273

  • Facebook
  • Twitter

Designed by Elegant Themes | Powered by WordPress