CVE-2017-16540
HIGHOpenEMR < 5.0.0 - Unauthenticated Database Copy via setup.php State Parameter
Title source: llmDescription
OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database copying because setup.php exposes functionality for cloning an existing OpenEMR site to an arbitrary attacker-controlled MySQL server via vectors involving a crafted state parameter.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101983
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://isears.github.io/jekyll/update/2017/10/28/openemr-database-disclosure.html
Scores
CVSS v3
7.5
EPSS
0.0033
EPSS Percentile
56.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
open-emr/openemr
< 5.0.0
Published
Nov 04, 2017
Tracked Since
Feb 18, 2026