Path Traversal Vulnerability in OpenEMR Software by OpenEMR
CVE-2023-22974

7.5HIGH

Key Information:

Vendor: Open-emr
Status: Openemr
Vendor: CVE Published:; 22 February 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-22974?

A vulnerability in the setup.php file of OpenEMR versions prior to 7.0.0 enables remote unauthenticated users to exploit path traversal, facilitating unauthorized access to sensitive files. By manipulating connections to a malicious MySQL server, attackers can read arbitrary files on the server, exposing critical data and potentially compromising the integrity of healthcare systems using this software.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-22974
Created by gbrsh

References

https://www.open-emr.org/wiki/index.php/OpenEMR_Patches#7...

https://www.sonarsource.com/blog/openemr-remote-code-exec...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 23, 2023
👾
Exploit known to exist
Feb 23, 2023
Vulnerability published
Feb 22, 2023
Vulnerability Reserved
Jan 11, 2023

CVE-2023-22974 Data

JSON

Open-emr

Badges

What is CVE-2023-22974?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline