Non-Privilege User Can View Patient’s Disclosures in openemr/openemr


Reported on

Mar 28th 2022

Vulnerability Type

Insecure Direct Object Reference

Affected URL

https://localhost/openemr-6.0.0/ /interface/patient_file/summary/record_disclosure.php?editlid=X





Authentication Required?


Issue Summary

Non-privilege users (accounting, front office) can view patient’s disclosures and have the capability to add, edit and delete the patient’s disclosures. This function is not visible to non-privilege users upon viewing patient’s dashboard but a non-privilege users can directly send a GET request to the vulnerable endpoint and view it.


The OpenEMR cookie must be checked against the document parameters sent in the GET request to https://localhost/openemr-6.0.0/interface/patient_file/summary/record_disclosure.php to ensure that only cookies belonging to Admin or privileged users are allowed to view and use the features in forms administration.


Aden Yap Chuen Zhen (

Rizan, Sheikh (

Ali Radzali (

Issue Reproduction

Login to EMR using admin and we can see there is Disclosures in the patient’s dashboard. Click on “Edit”.

1.png Figure 1: Login as Administrator and View Patient’s Disclosures

2.png Figure 2: Admin View List of Disclosures

Now, using a non-admin account, Eg Accountant user should not be able to view the patient’s disclosures.

3.png Figure 3: Non-privilege Account Cannot View Patient’s Disclosures

Using Burp, we intercept the Admin request to edit the patient’s disclosures and swap the “OpenEMR” cookie using an Accountant cookie and we are be able to view the patient’s disclosures.

4.png Figure 4: Burp Request Captured Using Accountant Cookie to View Forms Administration

5.png Figure 5: Non-privilege Account Can View Patient ‘s Disclosures

The Raw Request looks like:

GET /openemr/interface/patient_file/summary/record_disclosure.php?editlid=3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=wXLcHx6rd0afp3JGFiB%2Cps94aa3icGyGvUi0DunXZ2YcFwuo
Upgrade-Insecure-Requests: 1

The non-privilege users also have the capabilities to edit, add or delete any patient’s disclosures.

We are processing your report and will contact the openemr team within 24 hours. a year ago
r00t.pgp modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
We have sent a second follow up to the openemr team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the openemr team. This report is now considered stale. a year ago
openemr/openemr maintainer validated this vulnerability a year ago

Currently working on a fix for this.

r00t.pgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
a year ago


A preliminary fix has been placed in the development codebase:

This fix will be included in the next 6.1.0 patch 1 ( . After we release 6.1.0 patch 1, then we will confirm the fix at that time.

We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago
openemr/openemr maintainer
a year ago


Patch 1 for 6.1.0 ( has been released, so this fix is now official.

openemr/openemr maintainer marked this as fixed in with commit 8f8a97 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Dear @admin kindly issue cve for this fix. Tq

Jamie Slome
a year ago


Sorted 👍

to join this conversation