OpenEMR Horizontal Privilege Escalation Vulnerability in Patient Portal Payment Endpoint

A horizontal privilege escalation vulnerability has been identified in OpenEMR versions prior to 8.0.0, specifically within the patient portal payment endpoint. The issue arises because the patient ID used on the page is sourced from user-controlled request parameters, rather than being tied to the authenticated user. This flaw allows portal users to access and manipulate another patient's demographic information, invoices, and payment history, creating an Insecure Direct Object Reference (IDOR) scenario. The vulnerability exists in 'portal/portal_payment.php'.

Impact

Exploitation of this vulnerability allows portal users to bypass authorization and access sensitive information belonging to other patients, including demographics and financial data, without any privilege escalation.

Reproduction

To reproduce this vulnerability, log into the patient portal as a user with a valid session. Once logged in, navigate to the payment portal while supplying a different patient's ID through the request parameters. The system will display the other patient's information, demonstrating the unauthorized access.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been fixed.