Published: 17/12/2021 Updated: 22/12/2021

CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N

An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an malicious user to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.

Vulnerable Product	Search on Vulmon	Subscribe to Product
open-emr openemr 6.0.0

OpenEMR versions 600 and 610-dev suffer from an authenticated remote SQL injection vulnerability in the calendar search functionality ...

Full Disclosure mailing list archives   By Date By Thread </form>    Trovent Security Advisory 2109-01 / CVE-2021-41843: Authenticated SQL injection in OpenEMR calendar search <!--X-Subje ...

CWE-89 http://packetstormsecurity.com/files/165301/OpenEMR-6.0.0-6.1.0-dev-SQL-Injection.html https://trovent.io/security-advisory-2109-01 https://trovent.github.io/security-advisories/TRSA-2109-01/TRSA-2109-01.txt http://seclists.org/fulldisclosure/2021/Dec/38 https://nvd.nist.gov https://packetstormsecurity.com/files/165301/OpenEMR-6.0.0-6.1.0-dev-SQL-Injection.html

CVE-2021-41843

Vulnerability Summary

Vulnerability Trend

Exploits

Mailing Lists

References

Vulmon Search

About

Products

Connect