OpenEMR Information Exposure Vulnerability in Clinical Notes and Care Plan

A vulnerability in OpenEMR versions prior to 7.0.4 allows unauthorized users to view and modify sensitive data in Clinical Notes and Care Plan forms associated with encounters marked as high sensitivity. This issue arises because users without high sensitivity privileges can access and change information that should be restricted to those with the appropriate permissions.

Impact

Exploitation of this vulnerability leads to unauthorized access and modification of sensitive clinical data, creating a risk of misinformation in patient records.

Reproduction

To reproduce this vulnerability, log in as a user with normal sensitivity privileges, such as a Clinician. Create an encounter and set its sensitivity to high. After logging out, log in as a user with high sensitivity privileges, such as a Physician, and add information to the Clinical Notes and Care Plan forms for the encounter. Then, log out and log back in as the Clinician. The Clinician will be able to access the Clinical Notes and Care Plan information for the high sensitivity encounter, despite not having the necessary privileges.

Remediation

Users can upgrade to OpenEMR version 7.0.4, which addresses this vulnerability.