Weak Password Requirements in OpenEMR by OpenEMR Inc.
CVE-2021-25923

8.1HIGH

Key Information:

Vendor: Open-emr
Status: Openemr
Vendor: CVE Published:; 24 June 2021

What is CVE-2021-25923?

OpenEMR versions 5.0.0 to 6.0.0.1 exhibit a significant security weakness due to insufficient password policies. The application lacks a maximum password length limit, enabling an attacker who knows the first 72 characters of a user's password to exploit this vulnerability. This oversight makes it feasible for malicious users to execute account takeover attempts with relative ease, highlighting the need for enhanced password management and security measures.

Affected Version(s)

openemr v5.0.0, v5.0.0.5, v5.0.0.6, v5.0.1, v5.0.1.1, v5.0.1.2, v5.0.1.3, v5.0.1.4, v5.0.1.5, v5.0.1.6, v5.0.1.7, v5.0.2, v5.0.2.1, v5.0.2.2, v5.0.2.3, v5.0.2.4, v6.0.0, v6.0.0.1

References

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

https://github.com/openemr/openemr/commit/28ca5c008d4a408...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2021
Vulnerability Reserved
Jan 22, 2021

CVE-2021-25923 Data

JSON

Open-emr

What is CVE-2021-25923?

Affected Version(s)

References

CVSS V3.1

Timeline