OpenEMR SQL Injection Vulnerability in MedEx Recall/Reminder Processing

A SQL injection vulnerability has been identified in OpenEMR versions prior to 8.0.0.3. The issue arises in the MedEx recall and reminder processing code, where several variables are directly concatenated into SQL queries without proper parameterization or type casting. This flaw allows for arbitrary SQL execution, potentially leading to unauthorized access or modification of patient records. The vulnerability exists in the 'generate' method of 'library/MedEx/API.php', where data from unvalidated sources is used to build SQL queries, creating opportunities for SQL injection attacks.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential to read or modify patient records in the OpenEMR database.

Reproduction

To reproduce this vulnerability, an administrator must enable the MedEx feature, which is disabled by default. Once MedEx is active, the vulnerability can be exploited by sending a request that includes unvalidated 'facilities' data, which will be processed by the MedEx recall/reminder system. This can be done through the 'interface/main/messages/save.php' file, where the 'facilities' parameter can be injected without proper validation, allowing for SQL injection in the MedEx API.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.