OpenEMR Encounter Vitals API IDOR Vulnerability Allowing Unauthorized Vitals Overwrite

A vulnerability exists in the OpenEMR encounter vitals API in versions prior to 8.0.0.2. The issue arises because the API accepts an 'id' in the request body and uses it to update vital records without verifying if the vital belongs to the current patient or encounter. This flaw allows an authenticated user with encounters or notes permission to overwrite any patient's vitals by providing a different patient's vital 'id', resulting in tampering with medical records.

Impact

Exploitation of this vulnerability allows for unauthorized modification of patient vital records, potentially leading to incorrect clinical decisions.

Reproduction

To reproduce this vulnerability, log in as a user with encounters or notes permission. Identify a vital record ID from another patient, then send a POST request to the encounter vitals API for an encounter you are authorized to access. Include the target 'id' from the other patient's vital record in the request body. If the update is applied to the vital record corresponding to the supplied 'id', the vulnerability has been successfully reproduced.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.