vendor:
OpenEMR
by:
Wan Ikram, Fikri Fadzil, Jasveer Singh, SEC Consult Vulnerability Lab
9
CVSS
CRITICAL
OS Command Injection
78
CWE
Product Name: OpenEMR
Affected Version From: 5.0.0
Affected Version To: 5.0.0 Patch 2 or higher
Patch Exists: YES
Related CWE: -
CPE: OpenEMR
Platforms Tested:
2017
OS Command Injection & Reflected Cross Site Scripting
Any OS commands can be injected by an authenticated attacker with any role. This is a serious vulnerability as the chance for the system to be compromised is high.
Mitigation:
SEC Consult recommends not to attach OpenEMR to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved.