OpenEMR Profile Edit Endpoint Broken Access Control Vulnerability

A broken access control vulnerability has been identified in OpenEMR versions prior to 7.0.4, specifically within the Profile Edit endpoint. This issue allows authenticated users to manipulate request parameters to access and modify another user's profile information, such as name and contact details. The vulnerability could potentially lead to account takeover.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user profile data, with changes being persistent and visible in the affected user's account. This could also enable account takeover if sensitive information, like email or username, is altered.

Reproduction

To reproduce this vulnerability, log in as a normal user and navigate to the Profile Edit section. Intercept the request and modify the 'pid' and 'pubpid' parameters to reference another user's profile. Once the request is forwarded, the changes will be applied to the other user's account.

Remediation

Users can update to OpenEMR version 7.0.4 or later, where this vulnerability has been patched.