Improper Privilege Management in openemr/openemr
Sep 24th 2021
A predefined Front desk receptionist have access to the
Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function.
Proof of Concept
Log in with a
Front desk receptionistuser
Simply open the following URI
The data is being displayed for the unauthorized user.
A receptionist user is able to access the Audit Log, where information can gained about the failed login attempts.
hi, thanks for the report. This issue has been fixed in OpenEMR's master branch: https://github.com/openemr/openemr/pull/4660. Plan to release a 6.0.0 patch in future with this fix (will likely release patch in several weeks).
Hi! Thanks for the response. Can you please mark the issue described above as valid?
this was fixed awhile back for the OpenEMR 6.1.0 version