Description
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/lodestone-security/CVEs/blob/master/CVE-2019-16404/README.md
Scores
CVSS v3
8.8
EPSS
0.0001
EPSS Percentile
1.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
open-emr/openemr
5.0.1 - 5.0.2
Published
Oct 21, 2019
Tracked Since
Feb 18, 2026