- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Multiple Vulnerabilities Found In Healthcare Software OpenEMR
Researchers have found three separate vulnerabilities in OpenEMR, an open-source software for electronic health records and medical practice management.
Clean code experts at Sonar published an advisory Wednesday about the discovered flaws by security researcher Dennis Brinkrolf.
“During our security research of popular web applications, we discovered several code vulnerabilities in OpenEMR,” Brinkrolf wrote.
“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure.”
The security expert explained that the company’s static application security testing (SAST) engine discovered that two of these three vulnerabilities combined could lead to unauthenticated remote code execution (RCE).
“In summary, an attacker can use the reflected XSS, upload a PHP file […] and then use the path traversal via the Local File Inclusion to execute the PHP file. It takes a few tries to figure out the appropriate Unix timestamp but eventually leads to remote code execution.”
As for the third vulnerability, it allowed attackers to configure OpenEMR in a certain way in order to eventually steal user data.
“In other words, if OpenEMR is set up correctly, an unauthenticated attacker can read files like certificates, passwords, tokens, and backups from an OpenEMR instance via a rogue MySQL server,” Brinkrolf explained.
The security researcher added that Sonar reported all issues to the OpenEMR maintainers on October 24, 2022, who then released a patch to version 7.0.0, fixing all three vulnerabilities seven days later.
“If you are using OpenEMR, we strongly recommend updating to the fixed versions mentioned above,” the Sonar post concluded. “We want to thank the OpenEMR team for their professional and fast responses and patches.”
The patched vulnerabilities come almost five years after researchers at Project Insecurity found over 20 flaws (now fixed) in OpenEMR.