OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
The vulnerability results from a lack of validation and escaping of identifiers for sort field names supplied by the user in the `_sort` parameter. The value of this parameter is directly injected into the ORDER BY clause of the SQL query without proper sanitization. An attacker with access to the API can manipulate database query logic and read or modify data stored in the database.
An attacker can gain unauthorized access to the application database, including protected patient medical data (PHI) and system user credentials. Depending on the database configuration, it is also possible to compromise data integrity or availability.
OpenEMR should be updated to version 8.0.0, which contains a patch eliminating the described vulnerability. The patch is also available in the project repository at the address indicated in the references (commit 943e23cad6e979f87cdf168807fce2a7b32dd194).
OpenEMR in all versions prior to 8.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HOpen Emr Openemr
APPOpen-Emr< 8.0.0
Related vulnerabilities
Command Injection w funkcji backup OpenEMR (wersje przed 8.0.0.2)
OpenEMR: Wyciek klucza API bramki płatności do klienta w plaintext
OpenEMR: ujawnienie tokenów API MedEx bez uwierzytelnienia (Auth Bypass)
OpenEMR: path traversal umożliwia odczyt dowolnych plików przez uwierzytelnionego użytkownika
SQL Injection w OpenEMR 7.0.2 — krytyczna podatność w module aptecznym