CVE-2019-16404
HIGHOpenEMR < 5.0.2 - Authenticated SQL Injection via providerID Parameter
Title source: llmDescription
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/lodestone-security/CVEs/blob/master/CVE-2019-16404/README.md
Scores
CVSS v3
8.8
EPSS
0.0107
EPSS Percentile
60.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
open-emr/openemr
5.0.1 - 5.0.2
Published
Oct 21, 2019
Tracked Since
Feb 18, 2026