{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-07T03:50:56", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability"}, {"tags": ["x_refsource_MISC"], "url": "https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592"}, {"tags": ["x_refsource_MISC"], "url": "https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431"}, {"tags": ["x_refsource_MISC"], "url": "https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-32101", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability", "refsource": "MISC", "url": "https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability"}, {"name": "https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592", "refsource": "MISC", "url": "https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592"}, {"name": "https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431", "refsource": "MISC", "url": "https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431"}, {"name": "https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal", "refsource": "MISC", "url": "https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:17:28.950Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-32101", "datePublished": "2021-05-07T03:50:56", "dateReserved": "2021-05-07T00:00:00", "dateUpdated": "2024-08-03T23:17:28.950Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:5.0.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "BCFA8AD2-1361-43D5-9580-A7F43B3390D5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient."}, {"lang": "es", "value": "El Patient Portal of OpenEMR versi\u00f3n 5.0.2.1, est\u00e1 afectado por un sistema de control de acceso incorrecto en el archivo portal/patient/_machine_config.php. Para explotar la vulnerabilidad, un atacante no autenticado puede registrar una cuenta, sin pasar por la comprobaci\u00f3n de permisos de la API de este portal. Luego, el atacante puede manipular y leer los datos de cada paciente registrado"}], "id": "CVE-2021-32101", "lastModified": "2024-11-21T06:06:50.690", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-07T04:15:07.387", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}