OpenEMR's Printable LBF Endpoint Leaks Arbitrary Patient Forms

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the form belongs to the current user’s authorized patient/encounter. An authenticated user with LBF access can enumerate form IDs and view or print any patient’s encounter forms. Version 8.0.0 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

通过用户控制密钥绕过授权机制

OpenEMR 安全漏洞

OpenEMR是OpenEMR社区的一套开源的医疗管理系统。该系统可用于医疗实践管理、电子医疗记录、处方书写和医疗帐单申请。 OpenEMR 8.0.0之前版本存在安全漏洞，该漏洞源于基于布局的表单可打印视图未验证表单是否属于当前用户授权的患者或就诊记录，可能导致具有LBF访问权限的经过身份验证的用户查看或打印任意患者的就诊表单。

N/A

N/A