SQL Injection Vulnerability in OpenEMR Calendar Search Function
CVE-2021-41843

6.5MEDIUM

Key Information:

Vendor

Open-emr

Status
Openemr
Vendor
CVE Published:
17 December 2021

What is CVE-2021-41843?

An authenticated SQL injection vulnerability exists in the calendar search functionality of OpenEMR versions prior to patch 3. This issue allows attackers with access to the application to manipulate the 'provider_id' parameter, potentially enabling them to read sensitive data from all tables in the database. Exploitation of this vulnerability can lead to unauthorized data disclosure, impacting the integrity and confidentiality of the information stored in the OpenEMR database.

References

https://trovent.io/security-advisory-2109-01
x_refsource_MISC
https://trovent.github.io/security-advisories/TRSA-2109-0...
x_refsource_MISC
http://packetstormsecurity.com/files/165301/OpenEMR-6.0.0...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.