[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

OpenEMR 6.0.0 - (noteid) Insecure Direct Object Reference Vulnerability

Author
Allen Enosh Upputori
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-36714
Category
web applications
Date add
06-09-2021
CVE
CVE-2021-40352
Platform
php
# Exploit Title: OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)
# Exploit Author: Allen Enosh Upputori
# Vendor Homepage: https://www.open-emr.org
# Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads
# Version:  6.0.0 
# Tested on: Linux 
# CVE : CVE-2021-40352

How to Reproduce this Vulnerability:

1. Install Openemr 6.0.0
2. Login as an Physician
3. Open Messages 
4. Click Print 
5. Change the existing "noteid=" value to another number 

This will reveal everybodys messages Incuding Admin only Messages

#  0day.today [2024-12-24]  #