Filtered by vendor Open-emr Subscriptions
Filtered by product Openemr Subscriptions
Total 129 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2017-1000240 1 Open-emr 1 Openemr 2024-11-21 N/A
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVE-2015-4453 1 Open-emr 1 Openemr 2024-11-21 N/A
interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2) interface/billing/sl_eob_search.php.
CVE-2014-5462 1 Open-emr 1 Openemr 2024-11-21 N/A
Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) layout_id parameter to interface/super/edit_layout.php; (2) form_patient_id, (3) form_drug_name, or (4) form_lot_number parameter to interface/reports/prescriptions_report.php; (5) payment_id parameter to interface/billing/edit_payment.php; (6) id parameter to interface/forms_admin/forms_admin.php; (7) form_pid or (8) form_encounter parameter to interface/billing/sl_eob_search.php; (9) sortby parameter to interface/logview/logview.php; form_facility parameter to (10) procedure_stats.php, (11) pending_followup.php, or (12) pending_orders.php in interface/orders/; (13) patient, (14) encounterid, (15) formid, or (16) issue parameter to interface/patient_file/deleter.php; (17) search_term parameter to interface/patient_file/encounter/coding_popup.php; (18) text parameter to interface/patient_file/encounter/search_code.php; (19) form_addr1, (20) form_addr2, (21) form_attn, (22) form_country, (23) form_freeb_type, (24) form_partner, (25) form_name, (26) form_zip, (27) form_state, (28) form_city, or (29) form_cms_id parameter to interface/practice/ins_search.php; (30) form_pid parameter to interface/patient_file/problem_encounter.php; (31) patient, (32) form_provider, (33) form_apptstatus, or (34) form_facility parameter to interface/reports/appointments_report.php; (35) db_id parameter to interface/patient_file/summary/demographics_save.php; (36) p parameter to interface/fax/fax_dispatch_newpid.php; or (37) patient_id parameter to interface/patient_file/reminder/patient_reminders.php.
CVE-2013-4620 1 Open-emr 1 Openemr 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in interface/main/onotes/office_comments_full.php in OpenEMR 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the note parameter.
CVE-2013-4619 1 Open-emr 1 Openemr 2024-11-21 N/A
Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php.
CVE-2012-2115 1 Open-emr 1 Openemr 2024-11-21 N/A
SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the u parameter.
CVE-2011-5161 1 Open-emr 1 Openemr 2024-11-21 N/A
Unrestricted file upload vulnerability in the patient photograph functionality in OpenEMR 4 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the patient directory under documents/.
CVE-2011-5160 1 Open-emr 1 Openemr 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in setup.php in OpenEMR 4 allows remote attackers to inject arbitrary web script or HTML via the site parameter.
CVE-2024-0875 2 Open-emr, Openemr 2 Openemr, Openemr 2024-11-19 4.8 Medium
A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.