Improper Access Control in OpenEMR Affects User Security
CVE-2021-25920

6.5MEDIUM

Key Information:

Vendor: Open-emr
Status: Openemr
Vendor: CVE Published:; 22 March 2021

What is CVE-2021-25920?

OpenEMR versions from v2.7.2-rc1 to 6.0.0 are exposed to an access control vulnerability that can be exploited during user creation. This flaw permits an unauthorized user to gain access to sensitive data, enabling them to read and send messages on behalf of legitimate users. Such an oversight compromises user privacy and poses significant risks to communications within the system.

Affected Version(s)

openemr 2.7.2-rc1, 2.7.2-rc2, 2.7.2, 2.7.3-rc1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.0.3, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.0

References

https://github.com/openemr/openemr/commit/0fadc3e592d84bc...

x_refsource_MISC

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2021
Vulnerability Reserved
Jan 22, 2021

CVE-2021-25920 Data

JSON

Open-emr

What is CVE-2021-25920?

Affected Version(s)

References

CVSS V3.1

Timeline