Scientists have identified a few independent vulnerabilities in OpenEMR, an open up-resource software program for electronic well being data and health care practice administration.
Cleanse code authorities at Sonar posted an advisory Wednesday about the discovered flaws by security researcher Dennis Brinkrolf.
“During our security research of popular web purposes, we uncovered several code vulnerabilities in OpenEMR,” Brinkrolf wrote.
“A blend of these vulnerabilities lets remote attackers to execute arbitrary method instructions on any OpenEMR server and to steal sensitive patient data. In the worst scenario, they can compromise the total critical infrastructure.”
The security pro explained that the company’s static application security screening (SAST) motor uncovered that two of these a few vulnerabilities blended could guide to unauthenticated distant code execution (RCE).
“In summary, an attacker can use the mirrored XSS, upload a PHP file […] and then use the route traversal via the Area File Inclusion to execute the PHP file. It normally takes a couple of tries to determine out the ideal Unix timestamp but finally potential customers to remote code execution.”
As for the 3rd vulnerability, it permitted attackers to configure OpenEMR in a selected way in get to at some point steal user details.
“In other terms, if OpenEMR is established up the right way, an unauthenticated attacker can study data files like certificates, passwords, tokens, and backups from an OpenEMR occasion through a rogue MySQL server,” Brinkrolf stated.
The security researcher included that Sonar documented all issues to the OpenEMR maintainers on October 24, 2022, who then launched a patch to model 7.., correcting all 3 vulnerabilities 7 days afterwards.
“If you are utilizing OpenEMR, we strongly recommend updating to the fixed variations mentioned higher than,” the Sonar put up concluded. “We want to thank the OpenEMR staff for their expert and fast responses and patches.”
The patched vulnerabilities arrive just about 5 years immediately after scientists at Project Insecurity discovered around 20 flaws (now set) in OpenEMR.
Some parts of this article are sourced from:
www.infosecurity-magazine.com