Open-source health record management software OpenEMR has been discovered by Sonar Source researchers to be impacted by three security vulnerabilities, two of which could be chained to achieve remote code execution, reports SecurityWeek.
"A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure," said Sonar Source. All of the vulnerabilities have been addressed by OpenEMR in November.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.