CVE-2015-4453

OpenEMR 2.x-4.x - Unauthenticated Authentication Bypass via ignoreAuth Parameter

Title source: llm

Description

interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2) interface/billing/sl_eob_search.php.

References (6)

Core 6

Core References

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Jun/48

Vendor Advisory third-party-advisory x_refsource_jvndb

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000092

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/132368/OpenEMR-4.2.0-Authentication-Bypass.html

Vendor Advisory third-party-advisory x_refsource_jvn

http://jvn.jp/en/jp/JVN22677713/index.html

Patch, Vendor Advisory x_refsource_misc

http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/75299

Scores

EPSS 0.4087

EPSS Percentile 97.4%

Details

CWE

CWE-287

Status published

Products (10)

open-emr/openemr 2.8.3

open-emr/openemr 2.9.0

open-emr/openemr 3.0.1

open-emr/openemr 3.1.0

open-emr/openemr 3.2.0

open-emr/openemr 4.0.0

open-emr/openemr 4.1.0

open-emr/openemr 4.1.1

open-emr/openemr 4.1.2

open-emr/openemr 4.2.0

Published Jul 05, 2015

Tracked Since Feb 18, 2026