OpenEMR DICOM Viewer State API Missing Authorization Vulnerability Allowing Insecure Direct Object References

A vulnerability exists in OpenEMR versions prior to 8.0.0 within the DICOM viewer state API. The issue arises because the API accepts document IDs without verifying if the documents are associated with the current user's authorized patient or encounter. This lack of validation allows an authenticated user to read or modify the DICOM viewer state, including annotations and view settings, for any document by simply enumerating document IDs. The vulnerability is located in the document controller, where the API fails to check document ownership or patient/encounter access controls before processing state requests.

Impact

Exploitation of this vulnerability leads to an Insecure Direct Object Reference (IDOR) condition, where DICOM viewer state for any document can be accessed or altered. This includes exposure of Protected Health Information (PHI) and imaging metadata.

Reproduction

To reproduce this vulnerability, log in as a user with access to the DICOM viewer. Once authenticated, obtain or guess a document ID from another patient's DICOM study. Then, call the state API, either via a GET request to read the state or a POST request to save the state for the guessed document ID. If the API responds with the state information or confirms the state update for the other patient's document, the IDOR vulnerability is present.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been addressed.