Sign In
Advisories

OpenEMR 5.0.2.1 - Remote Code Execution

Go Back
severity
medium
date
Affecting

  • OpenEMR 5.0.2.1

CWE
  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS
4.8
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Credit
Hato0, BvThTrd
Description
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance.