SQL injection in the delete action of the file add_edit_event.php in openemr/openemr


Reported on

Apr 30th 2023


We have discovered that the SQL injection vulnerability can be exploited through the file /interface/main/calendar/add_edit_event.php, allowing an attacker to manipulate the query via the eid parameter provided that Support Multi-Provider Events feature must be enabled.

Proof of Concept


POST /openemr/interface/main/calendar/add_edit_event.php?eid=1' HTTP/1.1
Host: localhost:8888
Content-Length: 75
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: OpenEMR=uqIwdZamDUi602vL9TYGfvL6lrf1Pun7PZlxnFoIcLsDkOGO
Connection: close




An attacker can modify the query and get all the data in the database.

We are processing your report and will contact the openemr team within 24 hours. 5 months ago
We have contacted a member of the openemr team and are waiting to hear back 5 months ago
stephen waite validated this vulnerability 5 months ago

Thanks @Nhien.IT, have a fix in progress.

Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
5 months ago


Hi @stephenwaite,

Thank you for confirming this report. If you don't mind can you assign the CVE ID for this vulnerability? Because I need it for my work.

stephen waite gave praise 5 months ago
hi @Nhien.IT, this is fixed in https://github.com/openemr/openemr/commit/391f2f98cbd6faa30bfdffb80af1461fc55a10a5 but we are unable to mark this as fixed, since that requires hard-setting a publish date, which am unable to safely predict. We plan to release OpenEMR 7.0.1 patch 1 in about 1-3 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve). Thanks again for the report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
4 months ago


Hi @maintainer,

any update here?

3 months ago


Hi @maintainer @admin,

Any update here????? I just received an email that OpenEMR 7.0.1 Patch 1 has been released!!


Ben Harvie
3 months ago


Hi Nhien.IT, if you have the patch commit SHA and fixed version, we can manually mark this as fixed. We will require maintainer confirmation for a CVE to be assigned and published however. Thanks!

3 months ago


Hi @admin,

The patch is committed at https://github.com/openemr/openemr/commit/391f2f98cbd6faa30bfdffb80af1461fc55a10a5 and I have received an email about the openERM 7.0.1 patch


3 months ago


Hi @admin @maintainer,

Any new updates here? It's been quite a while since the patch was announced and I haven't received a response from @maintainer. Hope @admin help!!!!


Ben Harvie marked this as fixed in master with commit 391f2f 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 2 months ago
add_edit_event.php#L780 has been validated
to join this conversation