8.2

CVE-2021-32101

EPSS 0.22%
Veröffentlicht 07.05.2021 04:15:07
Zuletzt bearbeitet 21.11.2024 06:06:50
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Open-emr ≫ Openemr Version5.0.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.443

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability

Third Party Advisory

https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431

Vendor Advisory

https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592

Third Party Advisory

https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-32101

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32101

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32101

EUVD