OpenEMR Message Update Endpoint Patient ID Verification Vulnerability

A vulnerability exists in OpenEMR versions through 8.0.0, allowing authenticated users with notes permission to modify any patient's messages. The issue arises because the message update endpoint only checks the message ID, without verifying if the message belongs to the current patient or if the user is authorized to edit that patient's notes. This flaw enables unauthorized alterations of patient communications, posing a risk to data integrity and compliance.

Impact

Exploitation of this vulnerability allows for unauthorized modifications of patient notes, creating risks related to data integrity and compliance.

Reproduction

To reproduce this vulnerability, log in as a user with permission to write patient notes. Obtain a note ID from a patient other than the one currently being viewed. Then, send a PUT request to the note update endpoint for a different patient, using the obtained note ID. The server will apply the update without verifying patient ownership or user authorization.

Remediation

Users are advised to update to the latest version of OpenEMR, where this vulnerability has been addressed.