OpenEMR MedEx Unauthenticated Token Disclosure Vulnerability

A vulnerability allowing unauthenticated token disclosure has been identified in OpenEMR versions prior to 8.0.0. This issue resides in the MedEx callback endpoint, which bypasses authentication and exposes sensitive API tokens. When an unauthenticated visitor sends a POST request with a callback key, the endpoint responds with MedEx API tokens, enabling unauthorized access to third-party services, potential exfiltration of protected health information (PHI), and violations of HIPAA regulations.

Impact

Exploitation of this vulnerability allows for unauthorized access to MedEx API tokens, which can be used to access and manipulate patient data, trigger reminders, modify events, and manage practice settings on the MedEx platform. Additionally, this vulnerability leads to HIPAA violations by exposing protected health information.

Reproduction

To reproduce this vulnerability, send a POST request to the MedEx callback endpoint with any value for the 'callback_key' parameter. The response will include sensitive MedEx API tokens and other practice-related information. Once the tokens are obtained, they can be used to access the MedEx API and perform unauthorized actions.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been fixed.