CVE Vulnerability

CVE-2021-32101

The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.

6.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

8.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 Third Party Advisory
https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 Vendor Advisory
https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability Third Party Advisory
https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:open-emr:openemr:5.0.2.1:*:*:*:*:*:*:*
Information

Published : 2021-05-07 04:15

Updated : 2021-05-11 05:41

NVD link : CVE-2021-32101

Mitre link : CVE-2021-32101

Products Affected
No products.
CWE
CWE-732