Improper authorization - receptionist can read all Clinic reports in openemr/openemr

Valid

Reported on

Apr 23rd 2022


Description

Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code.

Proof of Concept

  1. Install openemr in your system and create an admin account and a receptionist account
  2. Log in as receptionist and see that you don't see Reports > Clinics in your menu, since you don't have privilege to do so
  3. However, go to this link https://demo.openemr.io/openemr/interface/reports/cqm.php?type=cqm# and see that you can view all clinic reports. Go to this link https://demo.openemr.io/openemr/interface/reports/cdr_log.php# and see that you can view all alert reports.

Impact

Allowing receptionist to view all clinics report.

We are processing your report and will contact the openemr team within 24 hours. 3 months ago
We have contacted a member of the openemr team and are waiting to hear back 3 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 3 months ago
openemr/openemr maintainer validated this vulnerability 3 months ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
openemr/openemr maintainer
3 months ago

Maintainer


A preliminary fix for this has been placed in our development codebase at https://github.com/openemr/openemr/commit/3c5fbbc0656c7d42e387a53a1e16689bc0ffaf32 The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).

We have sent a fix follow up to the openemr team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 3 months ago
openemr/openemr maintainer confirmed that a fix has been merged on 3c5fbb 12 days ago
The fix bounty has been dropped
openemr/openemr maintainer
12 days ago

Maintainer


This fix was included in OpenEMR version 7.0.0, which was recently released.

to join this conversation