Improper Privilege Management - receptionist can view background services and log for admin in openemr/openemr
Apr 23rd 2022
Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code.
Proof of Concept
- Install openemr in your system and create an admin account and a receptionist account
- Log in as receptionist and see that you don't see Reports > Services in your menu, since you don't have privilege to do so
- However, go to this link
/openemr/interface/reports/background_services.phpand see that you can view all background services. Go to this link
/openemr/interface/reports/direct_message_log.phpand you can view all direct message logs
Allowing receptionist to view all services reports and logs.