CVE-2012-0991

NUCLEI

OpenEMR 4.1.0 - Authenticated Path Traversal via Formname Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-0991. PoCs published by High-Tech Bridge SA. A Nuclei detection template is also available.

AI-analyzed exploit summary The provided text describes a local file inclusion (LFI) and command injection vulnerability in OpenEMR 4.1.0. It includes a URL example demonstrating the LFI exploit but lacks executable code or detailed technical steps for exploitation.

Description

Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.

Exploits (3)

exploitdb WRITEUP VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36648

The provided text describes a local file inclusion (LFI) and command injection vulnerability in OpenEMR 4.1.0. It includes a URL example demonstrating the LFI exploit but lacks executable code or detailed technical steps for exploitation.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: OpenEMR 4.1.0
No auth needed
Prerequisites: Access to the target URL · OpenEMR 4.1.0 or potentially affected versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36649

This exploit demonstrates a local file inclusion (LFI) vulnerability in OpenEMR 4.1.0 by manipulating the 'formname' parameter to include arbitrary files (e.g., /etc/passwd). The vulnerability arises from insufficient input sanitization, allowing path traversal attacks.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR 4.1.0
No auth needed
Prerequisites: Network access to the target OpenEMR instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36650

This exploit demonstrates a local file inclusion (LFI) vulnerability in OpenEMR 4.1.0, allowing an attacker to read arbitrary files (e.g., /etc/passwd) by manipulating the 'formname' parameter. The vulnerability arises from insufficient input sanitization.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR 4.1.0
No auth needed
Prerequisites: Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

OpenEMR 4.1 - Local File Inclusion
LOWby daffainfo
Shodan: http.html:"openemr" || http.title:"openemr" || http.favicon.hash:1971268439
FOFA: icon_hash=1971268439 || body="openemr" || title="openemr" || app="openemr"

References (10)

Core 10
Core References
Exploit, Patch x_refsource_misc
https://www.htbridge.ch/advisory/HTB23069
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/78727
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/51788
Exploit, Patch mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-02/0004.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47781
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/78729
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/78728
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/72914
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/78730

Scores

EPSS 0.1999
EPSS Percentile 95.6%

Details

CWE
CWE-22
Status published
Products (1)
openemr/openemr 4.1.0
Published Feb 07, 2012
Tracked Since Feb 18, 2026