OpenEMR Improper Access Control Vulnerability in Import/Export Functionality

A vulnerability exists in OpenEMR versions prior to 8.0.0.3, where improper access control on the Import/Export feature allows unauthorized users to manipulate requests and perform import and export actions, bypassing user interface restrictions. This could result in unauthorized access to data, bulk extraction of information, and manipulation of system data.

Impact

Exploitation of this vulnerability could lead to unauthorized access and actions within the Import/Export functionality, allowing for bulk data extraction and unauthorized manipulation of system data.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a user with limited permissions, such as a receptionist. Although the Import/Export popups will be disabled, it is possible to manually navigate to the corresponding URLs and perform import or export actions. This can be done by creating patient data in XML format and saving it, which will trigger the import process despite the absence of user interface support.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been fixed.