Bounties
Partners
Community
Info
openemr / openemr
Project repository
The most popular open source electronic health records and medical practice management solution.
Submit a report
FIRST INTERACTION
WITHIN
2 DAYS
REVIEW
WITHIN
18 DAYS
FIX
WITHIN
71 DAYS
Stored XSS in Secure Messaging
Jul 27th 2023
tuannq2299
•
High
High
•
CVE-2024-0875
CVE-2024-0875
Receptionist view information of Patients
Jun 13th 2023
anh91
•
pending
Unauthenticated Path Traversal
Nov 12th 2023
baobaovt
•
not applicable
XML Entity Expansion in import_xml.php can lead to Denial-of-Service
Jul 30th 2023
nalysius
•
not applicable
SQL injection in the delete action of the file add_edit_event.php
Jul 10th 2023
nhienit2010
•
High
High
Reflected XSS in /library/custom_template/share_template.php
May 28th 2023
tsarsecurity
•
High
High
•
CVE-2023-2948
CVE-2023-2948
Reflected XSS in interface/forms/eye_mag/js/eye_base.php
May 28th 2023
tsarsecurity
•
High
High
•
CVE-2023-2949
CVE-2023-2949
Failed Password Change is Not Logged
Mar 29th 2023
henrycrain
•
informative
Medium
Patient Social Security Numbers Disclosed in Log
Mar 29th 2023
henrycrain
•
informative
Medium
CSRF through unchecked token in Patient Finder
Apr 15th 2023
hainluud
•
informative
Medium
Stored XSS in Admin Panel
May 27th 2023
henrycrain
•
Medium
Medium
•
CVE-2023-2947
CVE-2023-2947
Access Control Vulnerability in Prescription Controller
May 27th 2023
drew-sec
•
Medium
Medium
•
CVE-2023-2946
CVE-2023-2946
Access Control Vulnerability in Admin Address Book
May 27th 2023
drew-sec
•
Medium
Medium
•
CVE-2023-2944
CVE-2023-2944
Missing Authorization Check Allows Impersonated Secure Messages
May 27th 2023
drew-sec
•
Medium
Medium
•
CVE-2023-2945
CVE-2023-2945
XSS via upload pdf file
Apr 20th 2023
christynorl
•
self closed
Broken Access Controls in Pratice settings
May 12th 2023
nhienit2010
•
High
High
•
CVE-2023-2674
CVE-2023-2674
Bypass client side restrictions leads to IDOR on creating appointment.
May 27th 2023
leorac
•
High
High
•
CVE-2023-2942
CVE-2023-2942
Patient ability to rewrite it's own documents leads to HTML injection
May 28th 2023
leorac
•
Medium
Medium
•
CVE-2023-2950
CVE-2023-2950
Stored HTML injection in Patient chat functionality
May 27th 2023
leorac
•
Medium
Medium
•
CVE-2023-2943
CVE-2023-2943
Stored XSS bypass the protection rules
May 8th 2023
christynorl
•
High
High
•
CVE-2023-2566
CVE-2023-2566
Broken Access Controls in Patient Files
Dec 14th 2022
xkulio
•
High
High
•
CVE-2022-4567
CVE-2022-4567
File Upload Type Validation Error
Dec 14th 2022
xkulio
•
High
High
•
CVE-2022-4506
CVE-2022-4506
Improper Name Validation in Upload Document Form
Dec 14th 2022
xkulio
•
High
High
•
CVE-2022-4504
CVE-2022-4504
Reflected Cross-Site Scripting in Front Payment CC
Dec 14th 2022
xkulio
•
Medium
Medium
•
CVE-2022-4503
CVE-2022-4503
Multiple Reflected Cross-Site Scripting in Messages Module
Dec 14th 2022
xkulio
•
High
High
•
CVE-2022-4502
CVE-2022-4502
Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel
Mar 9th 2023
the-login
•
High
High
Stored XSS
Dec 6th 2022
mike993
•
Medium
Medium
•
CVE-2022-4733
CVE-2022-4733
Cookie with Secure attribute is false
Sep 20th 2022
uonghoangminhchau
•
informative
High
Cookie with HTTPOnly is false
Sep 20th 2022
uonghoangminhchau
•
informative
High
Cross Site Scripting (reflected) on fee_sheet_ajax.php
Dec 6th 2022
0xd114
•
High
High
•
CVE-2022-4615
CVE-2022-4615
No Protection against Bruteforce attacks on Loing page
Aug 24th 2022
y-seung
•
informative
Medium
Tabnabbing via window.opener [www.open-emr.org]
Oct 15th 2022
agnihackers
•
informative
High
User can do all actives with other's signature (view, get, create, update, dele...
Aug 9th 2022
dyn20
•
High
High
•
CVE-2022-2824
CVE-2022-2824
IDOR leads to delete messages in Message Center of others.
Aug 9th 2022
dyn20
•
High
High
Cross-site Scripting - Reflected
Aug 9th 2022
ch1nhpd
•
Critical
Critical
•
CVE-2022-2733
CVE-2022-2733
Idor disclose other user's appointment
Dec 14th 2022
gaurav-g2
•
High
•
$10
High
•
$10
•
CVE-2022-4505
CVE-2022-4505
Cross site script
Aug 9th 2022
gaurav-g2
•
High
•
$15
High
•
$15
DOM-based Cross-Site Scripting (XSS) in OpenEMR 7.0.0 and below at White list fi...
Aug 9th 2022
johnnattakit
•
Medium
Medium
•
CVE-2022-2729
CVE-2022-2729
Non-Privilege user can view Patient's Amendments
Aug 9th 2022
rata99
•
Medium
Medium
•
CVE-2022-2730
CVE-2022-2730
Unauthorized to create and edit Amendments function
Aug 9th 2022
rata99
•
High
High
•
CVE-2022-2732
CVE-2022-2732
Send message in chat function with any username
Aug 9th 2022
dyn20
•
High
•
$9
High
•
$9
Account Takeover
Jul 24th 2022
akshayravic09yc47
•
informative
Critical
Reflected Cross Site Scripting in OpenEMR 7.0.0 and below at backup
Aug 9th 2022
johnnattakit
•
Medium
Medium
•
CVE-2022-2731
CVE-2022-2731
UI REDRESSING
Aug 9th 2022
tharunavula
•
Critical
•
$25
Critical
•
$25
•
CVE-2022-2734
CVE-2022-2734
Improper authorization - clinician can view and change practice settings.
May 24th 2022
justinp09010
•
duplicate
Critical
Improper privilege management - clinician can configure order and results
May 24th 2022
justinp09010
•
duplicate
Critical
Improper authorization - clinician can create and view payments
May 24th 2022
justinp09010
•
duplicate
Critical
Cross-site Scripting (XSS) - Stored
Jul 20th 2022
bugruto
•
Medium
Medium
•
CVE-2022-2494
CVE-2022-2494
Improper authorization - receptionist can read all Clinic reports
Jul 22nd 2022
justinp09010
•
High
•
$15
High
•
$15
Improper Privilege Management - receptionist can view background services and lo...
Jul 22nd 2022
justinp09010
•
High
•
$15
High
•
$15
Improper authorization - receptionist can read all secure messaging
Jul 22nd 2022
justinp09010
•
High
•
$15
High
•
$15
Non-Privilege User Can View Patient’s Disclosures
Apr 25th 2022
r00tpgp
•
High
•
$15
High
•
$15
•
CVE-2022-1459
CVE-2022-1459
Missing Function Level Access Control
Jul 20th 2022
r00tpgp
•
High
•
$15
High
•
$15
•
CVE-2022-2493
CVE-2022-2493
Non Privilege User can Enable or Disable Registered
Apr 25th 2022
r00tpgp
•
High
•
$15
High
•
$15
•
CVE-2022-1461
CVE-2022-1461
Stored XSS Leads To Session Hijacking
Apr 25th 2022
mdakh404
•
High
•
$15
High
•
$15
•
CVE-2022-1458
CVE-2022-1458
Stored Cross Site Scripting
Mar 28th 2022
r00tpgp
•
High
•
$15
High
•
$15
•
CVE-2022-1181
CVE-2022-1181
Reflected Cross Site Scripting
Mar 23rd 2022
r00tpgp
•
Medium
Medium
•
CVE-2022-1180
CVE-2022-1180
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting
Mar 23rd 2022
r00tpgp
•
Medium
Medium
•
CVE-2022-1179
CVE-2022-1179
Stored Cross Site Scripting
Mar 20th 2022
r00tpgp
•
High
•
$15
High
•
$15
•
CVE-2022-1178
CVE-2022-1178
Accounting User Can Download Patient Reports in openemr
Mar 23rd 2022
r00tpgp
•
Medium
Medium
•
CVE-2022-1177
CVE-2022-1177
Improper Privilege Management
Jul 27th 2022
thelabda
•
Medium
•
$40
Medium
•
$40
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0