CRITICAL🇵🇱 Wersja polska

CVE-2024-22611

CVSS 9.8v3.1pub. 2025-04-03upd. 2025-04-08

OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php and \openemr\controller.php.

🤖 AI Analysis
How it works

The vulnerability results from improper validation or lack of parameterization of input data in files Pharmacy.class.php, C_Pharmacy.class.php, and controller.php. An attacker can inject malicious SQL code over the network without requiring any privileges or user interaction. This makes it possible to manipulate queries to the OpenEMR application database.

Impact

An attacker can gain unauthorized access to sensitive medical and personal patient data stored in the database, as well as modify or delete this data. Depending on the database configuration, it is also possible to escalate the attack to other infrastructure components.

Mitigation & patch

Apply patches available from the vendor according to the references provided. It is recommended to urgently update the OpenEMR system to a vulnerability-free version and restrict network access to the OpenEMR instance only to trusted users and networks.

Who is affected

OpenEMR version 7.0.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Open Emr Openemr

    APP
    Open-Emr
    7.0.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-32238CRITICAL9.1PL ✓ten sam produkt

Command Injection w funkcji backup OpenEMR (wersje przed 8.0.0.2)

CVE-2026-24898CRITICAL10.0PL ✓ten sam produkt

OpenEMR: ujawnienie tokenów API MedEx bez uwierzytelnienia (Auth Bypass)

CVE-2026-25146CRITICAL9.6PL ✓ten sam produkt

OpenEMR: Wyciek klucza API bramki płatności do klienta w plaintext

CVE-2026-24849CRITICAL9.9PL ✓ten sam produkt

OpenEMR: path traversal umożliwia odczyt dowolnych plików przez uwierzytelnionego użytkownika

CVE-2026-24908CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OpenEMR — narażenie danych PHI przez parametr _sort