Описание
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- ExploitMailing ListThird Party Advisory
- ExploitThird Party Advisory
- ExploitThird Party Advisory
- ExploitThird Party AdvisoryVDB Entry
- ExploitMailing ListThird Party Advisory
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:open-emr:openemr:6.0.0:-:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:6.0.0:patch_1:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:6.0.0:patch_2:*:*:*:*:*:*
EPSS
Процентиль: 40%
0.00179
Низкий
6.5 Medium
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-89
Связанные уязвимости
github
около 4 лет назад
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.
EPSS
Процентиль: 40%
0.00179
Низкий
6.5 Medium
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-89