Brady Miller

50 exploits Active since Aug 2017
CVE-2026-33933 WRITEUP MEDIUM WRITEUP
Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
CVSS 6.1
CVE-2026-25745 WRITEUP MEDIUM WRITEUP
OpenEMR's Message Update Ignores Patient id
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue.
CVSS 6.5
CVE-2026-24890 WRITEUP HIGH WRITEUP
OpenEMR <8.0.0 - Auth Bypass
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures by setting `type=admin-signature` and specifying any provider user ID. This could potentially lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs when portal users are allowed to modify provider signatures without proper authorization checks. Version 8.0.0 fixes the issue.
CVSS 8.1
CVE-2025-67491 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.0.5-7.0.3.4 - XSS
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. The variable `$data` is passed in a click event handler enclosed in single quotes without proper sanitization. Thus, despite `json_encode` a malicious user can still inject a payload such as ` ac' ><img src=x onerror=alert(document.cookie)> ` to trigger the bug. This vulnerability allows low privileged users to embed malicious JS payloads on the server and perform stored XSS attack. This, in turn makes it possible for malicious users to steal the session cookies and perform unauthorized actions impersonating administrators. Version 7.0.4 patches the issue.
CVSS 5.4
CVE-2026-24896 WRITEUP MEDIUM WRITEUP
OpenEMR <8.0.0 - Broken Access Control
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in OpenEMR’s edih_main.php endpoint, which allows any authenticated user—including low-privilege roles like Receptionist—to access EDI log files by manipulating the log_select parameter in a GET request. The back-end fails to enforce role-based access control (RBAC), allowing sensitive system logs to be accessed outside the GUI-enforced permission boundaries. Version 8.0.0 fixes the issue.
CVSS 6.5
CVE-2026-25127 WRITEUP MEDIUM WRITEUP
OpenEMR <8.0.0 - Privilege Escalation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.
CVSS 6.5
CVE-2026-25131 WRITEUP HIGH WRITEUP
OpenEMR <8.0.0 - Privilege Escalation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch.
CVSS 8.8
CVE-2017-12064 WRITEUP HIGH WRITEUP
OpenEMR <5.0.0 - Auth Bypass
The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name.
CVSS 7.5
CVE-2018-10571 WRITEUP MEDIUM WRITEUP
OpenEMR <5.0.1 - XSS
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date, or (19) form_to_date parameter to interface/billing/sl_eob_search.php; (20) codetype or (21) search_term parameter to interface/de_identification_forms/find_code_popup.php; (22) search_term parameter to interface/de_identification_forms/find_drug_popup.php; (23) search_term parameter to interface/de_identification_forms/find_immunization_popup.php; (24) id parameter to interface/forms/CAMOS/view.php; (25) id parameter to interface/forms/reviewofs/view.php; or (26) list_id parameter to library/custom_template/personalize.php.
CVSS 6.1
CVE-2018-10572 WRITEUP MEDIUM WRITEUP
OpenEMR <5.0.1 - Auth Bypass
interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters.
CVSS 6.5
CVE-2018-10573 WRITEUP HIGH WRITEUP
OpenEMR <5.0.1 - Auth Bypass
interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter.
CVSS 8.8
CVE-2018-17180 WRITEUP MEDIUM WRITEUP
OpenEMR <5.0.1 - Path Traversal
An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.
CVSS 5.3
CVE-2018-17181 WRITEUP CRITICAL WRITEUP
OpenEMR <5.0.1 - SQL Injection
An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.
CVSS 9.8
CVE-2018-9250 WRITEUP HIGH WRITEUP
Open-emr Openemr < 5.0.1.1 - SQL Injection
interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter.
CVSS 8.8
CVE-2021-25917 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0 - XSS
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS 4.8
CVE-2021-25918 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0 - XSS
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS 4.8
CVE-2021-25919 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0 - XSS
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS 4.8
CVE-2021-25920 WRITEUP MEDIUM WRITEUP
OpenEMR <6.0.0 - Privilege Escalation
In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.
CVSS 6.5
CVE-2021-25921 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0 - XSS
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.
CVSS 5.4
CVE-2021-25922 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0 - XSS
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
CVSS 6.1
CVE-2021-25923 WRITEUP HIGH WRITEUP
OpenEMR <6.0.0.1 - Info Disclosure
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
CVSS 8.1
CVE-2022-1178 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0.4 - XSS
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVSS 5.4
CVE-2022-1179 WRITEUP MEDIUM WRITEUP
Open-emr Openemr < 6.0.0.4 - XSS
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVSS 5.4
CVE-2022-1180 WRITEUP LOW WRITEUP
Open-emr Openemr < 6.0.0.4 - XSS
Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVSS 3.5
CVE-2022-2493 WRITEUP HIGH WRITEUP
GitHub openemr/openemr <7.0.0 - Info Disclosure
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
CVSS 8.1