OpenEMR flaws detailed

Open-source health record management software OpenEMR has been discovered by Sonar Source researchers to be impacted by three security vulnerabilities, two of which could be chained to achieve remote code execution, reports SecurityWeek. Researchers identified that OpenEMR has an unauthenticated arbitrary file read flaw stemming from the software installer's incapability for self-deletion after installation. Exploiting the bug could enable the creation of a database connection using attacker-controlled properties, as well as allow the utilization of a rogue MySQL server for OpenEMR file viewing. On the other hand, the cross-site scripting vulnerability in OpenEMR could facilitate JavaScript code execution to allow PHP file uploads and local file exclusion exploitation for RCE. "A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure," said Sonar Source. All of the vulnerabilities have been addressed by OpenEMR in November.