OpenEMR SQL Injection Vulnerability in CAMOS Form

A SQL injection vulnerability has been identified in OpenEMR versions prior to 8.0.0.3. The issue resides in the ajax_save CAMOS form, where user input is inadequately validated before being incorporated into SQL queries. This flaw enables authenticated attackers to inject malicious SQL code, potentially leading to unauthorized database access and extraction of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access, modify, or delete database information. In this case, the vulnerability could be exploited to extract sensitive medical information from the database. Additionally, according to the CVE-2026-33917 advisory, this vulnerability could lead to server-side code execution in some cases.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to 'interface/forms/CAMOS/ajax_save.php' with injected SQL payloads in the 'content' parameter. The injection can exploit the 'date_add' and 'date_sub' SQL functions to manipulate date values, potentially leading to unauthorized data access or modification.

Remediation

Users can update to OpenEMR version 8.0.0.3, which addresses this vulnerability by implementing proper input validation and sanitization in the affected form.