OpenEMR Group Encounter Sensitivity Check Vulnerability

A vulnerability in OpenEMR prior to version 8.0.0.1 allows unauthorized users to access sensitive group encounters, such as those related to mental health. This issue arises because the application only checks sensitivity in individual encounters, neglecting group encounters which store sensitivity information in a separate database table. As a result, users who should be restricted can view sensitive data that should be protected.

Impact

This vulnerability leads to incorrect authorization enforcement, allowing unauthorized staff to access sensitive group encounter data, including private health information related to therapy and mental health.

Reproduction

To reproduce this vulnerability, create a group encounter and set its sensitivity to a restricted level. Then, log in as a user who can access group encounters but does not have permission to view that sensitivity level. Access the group encounter through the encounter list, report, or patient chart, and observe that the sensitive data is displayed instead of being blocked.

Remediation

Users can update to OpenEMR version 8.0.0.1 or later, where this vulnerability is fixed.