OpenEMR Patient Notes Web UI IDOR Vulnerability Allows Unauthorized Access and Modification

A vulnerability exists in OpenEMR's patient notes web interface, specifically in versions prior to 8.0.0.3. The issue arises from legacy functions in 'library/pnotes.inc.php' that update and delete notes based on user-controlled IDs, without verifying if the notes belong to patients the user is authorized to access. This flaw, which mirrors a similar vulnerability in the REST API, allows authenticated users to read, modify, delete, and change the status of notes for other patients.

Impact

Exploitation of this vulnerability allows an authenticated user with 'patients/notes' ACL permission to access and modify patient notes across different patients, including deleting notes and marking them as inactive.

Reproduction

The vulnerability can be reproduced by an authenticated user with 'patients/notes' ACL permission. Notes can be accessed and modified through the web UI by directly manipulating note IDs, bypassing authorization checks that ensure the notes belong to the correct patient.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.