OpenEMR Patient File Download Interface Directory Traversal Vulnerability

By GIXnews


A vulnerability in OpenEMR could allow an authenticated, remote attacker to conduct a directory traversal attack on a targeted system.

The vulnerability exists because the patient file download interface of the affected software does not properly validate user-supplied input. An attacker could exploit this vulnerability by submitting a malicious request to the affected software. A successful exploit could allow the attacker to conduct a directory traversal attack, which the attacker could use to access sensitive information.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

OpenEMR has not confirmed the vulnerability; however, software updates are available.

Security Impact Rating: Medium

CVE: CVE-2019-3967

Source:: Cisco Multivendor Vulnerability Alerts