OpenEMR Missing Authorization Vulnerability in Procedure Order Deletion Endpoint

A vulnerability exists in OpenEMR versions prior to 8.0.0.3, where the AJAX deletion endpoint for procedure orders lacks proper authorization. This flaw allows any authenticated user, regardless of their role, to permanently delete procedure orders, answers, and specimens for any patient. The endpoint only verifies the CSRF token and requires an authenticated session, but fails to check user roles or validate that the specified order or specimen IDs belong to the patient in the current session. This issue can be exploited by users with minimal privileges, such as front-desk accounts.

Impact

Exploitation of this vulnerability allows authenticated users to irreversibly delete clinical procedure data and soft-delete associated specimens for any patient, leading to a violation of data integrity and disruption of patient care workflows.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a user with low privileges. Navigate to a page to obtain a valid CSRF token, then send a POST request to the deletion endpoint with the token and the IDs of procedure orders or specimens to delete. The specified data will be deleted, regardless of patient ownership.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.