CRITICAL🇵🇱 Wersja polska

CVE-2024-37734

CVSS 9.8v3.1pub. 2024-06-26upd. 2025-05-01

An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter.

🤖 AI Analysis
How it works

An attacker sends a crafted POST request containing a manipulated noteid parameter value. The application improperly verifies permissions (CWE-279 — Incorrect Execution-Assigned Permissions), allowing bypass of access control mechanisms. As a result, a remote user without any privileges can obtain a higher level of access in the system.

Impact

An attacker can obtain unauthorized elevated privileges in the OpenEMR system, potentially leading to complete application takeover and access to sensitive patient medical data.

Mitigation & patch

Apply patches available from the vendor according to references — the fix was included in pull request #7435 in the OpenEMR project GitHub repository. Immediate update to a version containing this patch is recommended.

Who is affected

OpenEMR version 7.0.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Open Emr Openemr

    APP
    Open-Emr
    7.0.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-32238CRITICAL9.1PL ✓ten sam produkt

Command Injection w funkcji backup OpenEMR (wersje przed 8.0.0.2)

CVE-2026-24898CRITICAL10.0PL ✓ten sam produkt

OpenEMR: ujawnienie tokenów API MedEx bez uwierzytelnienia (Auth Bypass)

CVE-2026-25146CRITICAL9.6PL ✓ten sam produkt

OpenEMR: Wyciek klucza API bramki płatności do klienta w plaintext

CVE-2026-24849CRITICAL9.9PL ✓ten sam produkt

OpenEMR: path traversal umożliwia odczyt dowolnych plików przez uwierzytelnionego użytkownika

CVE-2026-24908CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OpenEMR — narażenie danych PHI przez parametr _sort

CVE-2024-37734 — Open-Emr — Openemr — CRITICAL — CVSS 9.8 | CVEbaza.pl