OpenEMR Claim File Tracker Missing Authorization Vulnerability

A missing authorization vulnerability has been identified in the Claim File Tracker feature of OpenEMR, prior to version 8.0.0.1. The issue arises because an AJAX endpoint, located in 'library/ajax/billing_tracker_ajax.php', exposes billing claim metadata, including claim IDs, payer information, and transmission logs. This endpoint fails to enforce the same access control as the main billing workflow, allowing authenticated users without proper billing permissions to access sensitive data. The vulnerability is present in deployments that rely solely on UI checks, as low-privilege users can exploit this flaw to retrieve claim tracking information.

Impact

The vulnerability leads to unauthorized access to billing and claim metadata, which can be misused for further exploitation or social engineering. Missing authorization allows low-privilege authenticated users to access data they should not be privy to.

Reproduction

To reproduce this vulnerability, log in as an authenticated user without billing or claims admin permissions, such as a front desk staff member or nurse. Open the browser's developer tools and navigate to the Claim File Tracker UI, or directly call the AJAX endpoint 'library/ajax/billing_tracker_ajax.php' with a valid CSRF token, session cookie, and the 'X-Requested-With' header set to 'XMLHttpRequest'. If the endpoint responds with claim tracking data without requiring additional permissions or returning a 403 Forbidden status, the vulnerability exists.

Remediation

Users are advised to update to OpenEMR version 8.0.0.1 or later, where this vulnerability has been fixed.