OpenEMR Improper Permission Validation Vulnerability Allowing Unauthorized Data Access

A vulnerability exists in OpenEMR versions prior to 8.0.0, where the server fails to properly validate user permissions. This flaw allows unauthorized users to access information belonging to authorized users. The issue has been addressed in version 8.0.0.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive patient information, including personal identifiable information (PII), through the Care Coordination module.

Reproduction

To reproduce this vulnerability, log into OpenEMR with an account that has the Administrator role. Navigate to the Care Coordination module, which is restricted to Administrators. Then, log out and log back in with an account that has a different role, such as Accounting, which does not have access to the Care Coordination module. Capture the session cookie for this account. Finally, modify an HTTP request to the Care Coordination module by replacing the Administrator session cookie with the one from the Accounting account. Send the modified request to the server. If the request is successful and data from the Care Coordination module is retrieved, the vulnerability is present.

Remediation

Users can update to OpenEMR version 8.0.0 or later to address this vulnerability.