Vulnerabilities > Open EMR > Openemr
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-17 | CVE-2021-41843 | SQL Injection vulnerability in Open-Emr Openemr 6.0.0 An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI. | 6.5 |
| 2021-09-01 | CVE-2021-40352 | Authorization Bypass Through User-Controlled Key vulnerability in Open-Emr Openemr 6.0.0 OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users. | 6.5 |
| 2021-06-24 | CVE-2021-25923 | Weak Password Requirements vulnerability in Open-Emr Openemr In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. | 8.1 |
| 2021-05-07 | CVE-2021-32101 | Incorrect Permission Assignment for Critical Resource vulnerability in Open-Emr Openemr 5.0.2.1 The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. | 8.2 |
| 2021-05-07 | CVE-2021-32102 | SQL Injection vulnerability in Open-Emr Openemr 5.0.2.1 A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | 8.8 |
| 2021-05-07 | CVE-2021-32103 | Cross-site Scripting vulnerability in Open-Emr Openemr A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | 4.8 |
| 2021-05-07 | CVE-2021-32104 | SQL Injection vulnerability in Open-Emr Openemr 5.0.2.1 A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. | 8.8 |
| 2021-04-13 | CVE-2020-13568 | SQL Injection vulnerability in multiple products SQL injection vulnerability exists in phpGACL 3.3.7. | 8.8 |
| 2021-04-13 | CVE-2020-13566 | SQL Injection vulnerability in multiple products SQL injection vulnerabilities exist in phpGACL 3.3.7. | 8.8 |
| 2021-03-22 | CVE-2021-25922 | Cross-site Scripting vulnerability in Open-Emr Openemr In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. | 6.1 |