Will Porter

6 exploits Active since May 2019
CVE-2019-16404 WRITEUP HIGH WRITEUP
OpenEMR < 5.0.2 - Authenticated SQL Injection via providerID Parameter
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVSS 8.8
CVE-2019-16862 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.0-5.0.2.1 - Reflected Cross-Site Scripting via PID Parameter
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVSS 6.1
CVE-2019-17179 WRITEUP MEDIUM WRITEUP
OpenEMR < 5.0.2 - Stored Cross-Site Scripting
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1
CVSS 6.1
CVE-2019-17409 WRITEUP MEDIUM WRITEUP
OpenEMR 5.0.1-5.0.2.1 - Reflected Cross-Site Scripting via id Parameter
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVSS 6.1
CVE-2020-13168 WRITEUP MEDIUM WRITEUP
SysAid On-Premises 20.1.11b26 - Reflected Cross-Site Scripting via ForgotPassword.jsp accountid Parameter
SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter.
CVSS 6.1
CVE-2018-17179 METASPLOIT CRITICAL ruby WORKING POC
OpenEMR < 5.0.1.7 - SQL Injection via taskman.php
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
CVSS 9.8