Non Privilege User can Enable or Disable Registered in openemr/openemr


Reported on

Mar 28th 2022

Vulnerability Type

Insecure Direct Object Reference

Affected URL


Affected Parameters


Authentication Required?


Issue Summary

Non-privilege users (accounting & front-office) can disable and enable Registered modules. This function is not visible to non-privilege users upon login but a non-privilege user can directly send a POST request to the vulnerable end-point to either disable or enable a module.


The openEMR cookie must be checked against the “modAction” parameter sent in the POST request to https://localhost/openemr-6.0.0/interface/modules/zend_modules/public/Installer/manage to ensure that only cookies belonging to Admin or privileged users are allowed to enable/disable registered modules.


Aden Yap Chuen Zhen (
Rizan, Sheikh ( Ali Radzali (

Issue Reproduction

An admin user is able to disable and enable registered modules:

1.png Figure 1: Login as Admin. The Document Module is Currently Disabled.

We used Burp to capture the request of Admin POST request this end point:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie: OpenEMR=wa2ubMTCtCWeMvZcad%2CtgbXtvYNdGm%2CTpjZ35HztCGO1Sxd4


Figure 2: Captured Request using Burp. OpenEMR cookie and modAction Parameter are tempered by Non-Privilege User.

We swap out the OpenEMR cookie with a non-privilege user such as Accountant and was still able to enable/disable modules:

2.png Figure 3: Registered Modules as Seen using Admin account After Non-Privilege User Had Tampered it.

Noticed that the Module function is not visible using non-privilege user. However, by capturing the POST request by Admin in step no 2, we are able to determine the vulnerable end-point to send modifications to the Module function.

3.png Figure 4: Module Function is Not Visible by Non-Privilege Users

We are processing your report and will contact the openemr team within 24 hours. 2 years ago
We have contacted a member of the openemr team and are waiting to hear back 2 years ago
openemr/openemr maintainer has acknowledged this report 2 years ago
openemr/openemr maintainer validated this vulnerability 2 years ago
r00tpgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
2 years ago


A preliminary fix has been placed in the development codebase:

This fix will be included in the next 6.1.0 patch 1 ( . After we release 6.1.0 patch 1, then we will confirm the fix at that time.

2 years ago


Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq

Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq

openemr/openemr maintainer
2 years ago


Please do not yet make this public yet (I am assuming CVE creation will make it public). I will notify here when we release 6.1.0 patch 1 (in likely 1-2 weeks).

Jamie Slome
2 years ago

Sure, we will wait for your go-ahead on this one 👍

We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 2 years ago
openemr/openemr maintainer
2 years ago


Patch 1 for 6.1.0 ( has been released, so this fix is now official.

openemr/openemr maintainer marked this as fixed in with commit 3af1f4 2 years ago
The fix bounty has been dropped
2 years ago


Dear @admin kindly assign cve for thix fix since patch was released. Thank you.

Jamie Slome
2 years ago

Sorted 👍

to join this conversation