Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-25920

Date: March 22, 2021

Overview

In OpenEMR, versions 2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.

Details

The “OpenEMR” application does not enforce adequate checks while creating users. Provided two users are named, one with uppercase and one with lowercase, it is possible for a malicious user to read and send sensitive messages on behalf of the victim user, while totally unknown to the victim user.

Affected Environments

v2.7.2-rc1-6.0.0

Prevention

Upgrade to version 6.0.0.1

Language: PHP

Good to know:

icon

Improper Handling of Case Sensitivity

CWE-178

Incorrect Authorization

CWE-863
icon

Upgrade Version

Upgrade to version v6_0_0_1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25920
https://nvd.nist.gov/vuln/detail/CVE-2021-25920
https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f
https://www.mend.io/vulnerability-database/CVE-2021-25920