Brady Miller

56 exploits Active since Aug 2017
CVE-2018-17179 WRITEUP CRITICAL WRITEUP
OpenEMR < 5.0.1.7 - SQL Injection via taskman.php
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
CVSS 9.8
CVE-2026-25746 WRITEUP HIGH WRITEUP
OpenEMR < 8.0.0 - Authenticated SQL Injection in Prescription Listing
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
CVSS 8.8
CVE-2026-25746 WRITEUP HIGH WRITEUP
OpenEMR < 8.0.0 - Authenticated SQL Injection in Prescription Listing
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
CVSS 8.8
CVE-2026-25146 WRITEUP CRITICAL WRITEUP
OpenEMR 5.0.2-7.9.9 - Info Disclosure
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
CVSS 9.6
CVE-2025-67491 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.0.5-7.0.3.4 - Stored Cross-Site Scripting in Billing UB04 Helper
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. The variable `$data` is passed in a click event handler enclosed in single quotes without proper sanitization. Thus, despite `json_encode` a malicious user can still inject a payload such as ` ac' ><img src=x onerror=alert(document.cookie)> ` to trigger the bug. This vulnerability allows low privileged users to embed malicious JS payloads on the server and perform stored XSS attack. This, in turn makes it possible for malicious users to steal the session cookies and perform unauthorized actions impersonating administrators. Version 7.0.4 patches the issue.
CVSS 5.4
CVE-2026-25146 WRITEUP CRITICAL WRITEUP
OpenEMR 5.0.2-7.9.9 - Info Disclosure
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
CVSS 9.6
CVE-2026-33933 WRITEUP MEDIUM WRITEUP
Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
CVSS 6.1
CVE-2026-25745 WRITEUP MEDIUM WRITEUP
OpenEMR's Message Update Ignores Patient id
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue.
CVSS 6.5
CVE-2026-24890 WRITEUP HIGH WRITEUP
OpenEMR < 8.0.0 - Authenticated Authorization Bypass via Patient Portal Signature Endpoint
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures by setting `type=admin-signature` and specifying any provider user ID. This could potentially lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs when portal users are allowed to modify provider signatures without proper authorization checks. Version 8.0.0 fixes the issue.
CVSS 8.1
CVE-2025-67491 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.0.5-7.0.3.4 - Stored Cross-Site Scripting in Billing UB04 Helper
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. The variable `$data` is passed in a click event handler enclosed in single quotes without proper sanitization. Thus, despite `json_encode` a malicious user can still inject a payload such as ` ac' ><img src=x onerror=alert(document.cookie)> ` to trigger the bug. This vulnerability allows low privileged users to embed malicious JS payloads on the server and perform stored XSS attack. This, in turn makes it possible for malicious users to steal the session cookies and perform unauthorized actions impersonating administrators. Version 7.0.4 patches the issue.
CVSS 5.4
CVE-2026-24896 WRITEUP MEDIUM WRITEUP
OpenEMR <8.0.0 - Broken Access Control
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in OpenEMR’s edih_main.php endpoint, which allows any authenticated user—including low-privilege roles like Receptionist—to access EDI log files by manipulating the log_select parameter in a GET request. The back-end fails to enforce role-based access control (RBAC), allowing sensitive system logs to be accessed outside the GUI-enforced permission boundaries. Version 8.0.0 fixes the issue.
CVSS 6.5
CVE-2026-25127 WRITEUP MEDIUM WRITEUP
OpenEMR <8.0.0 - Privilege Escalation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.
CVSS 6.5
CVE-2026-25131 WRITEUP HIGH WRITEUP
OpenEMR <8.0.0 - Privilege Escalation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch.
CVSS 8.8
CVE-2017-12064 WRITEUP HIGH WRITEUP
OpenEMR 5.0.0 and prior - Improper Encoding or Escaping of Output in csv_log_html Function
The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name.
CVSS 7.5
CVE-2018-10571 WRITEUP MEDIUM WRITEUP
OpenEMR < 5.0.1 - Reflected Cross-Site Scripting via Multiple Parameters
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date, or (19) form_to_date parameter to interface/billing/sl_eob_search.php; (20) codetype or (21) search_term parameter to interface/de_identification_forms/find_code_popup.php; (22) search_term parameter to interface/de_identification_forms/find_drug_popup.php; (23) search_term parameter to interface/de_identification_forms/find_immunization_popup.php; (24) id parameter to interface/forms/CAMOS/view.php; (25) id parameter to interface/forms/reviewofs/view.php; or (26) list_id parameter to library/custom_template/personalize.php.
CVSS 6.1
CVE-2018-10572 WRITEUP MEDIUM WRITEUP
OpenEMR < 5.0.1 - Authenticated Access Control Bypass via Letter Template Parameters
interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the newtemplatename and form_body parameters.
CVSS 6.5
CVE-2018-10573 WRITEUP HIGH WRITEUP
OpenEMR < 5.0.1 - Authenticated Access Control Bypass via Fax Dispatch Scan Parameter
interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the scan parameter.
CVSS 8.8
CVE-2018-17180 WRITEUP MEDIUM WRITEUP
OpenEMR < 5.0.1.7 - Path Traversal via docid Parameter in download_template.php
An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.
CVSS 5.3
CVE-2018-17181 WRITEUP CRITICAL WRITEUP
OpenEMR < 5.0.1.7 - SQL Injection via SaveAudit and portalAudit Functions
An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.
CVSS 9.8
CVE-2018-9250 WRITEUP HIGH WRITEUP
OpenEMR < 5.0.1.1 - Authenticated SQL Injection via newlistname Parameter
interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter.
CVSS 8.8
CVE-2021-25917 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.2-6.0.0 - Stored Cross-Site Scripting in U2F USB Device Authentication Page
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS 4.8
CVE-2021-25918 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.2-6.0.0 - Stored Cross-Site Scripting in TOTP Authentication Method Page
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS 4.8
CVE-2021-25919 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.2-6.0.0 - Stored Cross-Site Scripting in User Input Fields
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
CVSS 4.8
CVE-2021-25920 WRITEUP MEDIUM WRITEUP
OpenEMR <6.0.0 - Privilege Escalation
In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.
CVSS 6.5
CVE-2021-25921 WRITEUP MEDIUM WRITEUP
OpenEMR 2.7.3-6.0.0 - Stored Cross-Site Scripting in Allergies Section
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.
CVSS 5.4