Improper Privilege Management in openemr/openemr
Sep 24th 2021
A predefined Front desk receptionist have access to the
Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function.
Proof of Concept
Log in with a
Front desk receptionistuser
Simply open the following URI
The data is being displayed for the unauthorized user.
A receptionist user is able to access the Audit Log, where information can gained about the failed login attempts.