8.8

CVE-2025-67645

Exploit

EPSS 0.04%
Veröffentlicht 27.01.2026 23:20:18
Zuletzt bearbeitet 12.02.2026 20:50:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Open-emr ≫ Openemr Version7.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.126

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv

Vendor Advisory

Exploit

https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-67645

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67645

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67645

EUVD