CVE-2021-25920

MEDIUM

OpenEMR <6.0.0 - Privilege Escalation

Title source: llm

Description

In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.

References (2)

[Patch, Third Party Advisory] https://github.com/openemr/openemr/commit/0fadc3e592d84bc9dfe9e0403f8bd6e3c7d8427f

View Patch ZIP pw:eip

[Third Party Advisory] https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25920

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 44.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-178

Status published

Products (1)

open-emr/openemr 2.7.2 - 6.0.0

Published Mar 22, 2021

Tracked Since Feb 18, 2026