Vulnerability Description
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Emr | Openemr | 6.0.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/165301/OpenEMR-6.0.0-6.1.0-dev-SQL-InjectioExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/Dec/38ExploitMailing ListThird Party Advisory
- https://trovent.github.io/security-advisories/TRSA-2109-01/TRSA-2109-01.txtExploitThird Party Advisory
- https://trovent.io/security-advisory-2109-01ExploitThird Party Advisory
- http://packetstormsecurity.com/files/165301/OpenEMR-6.0.0-6.1.0-dev-SQL-InjectioExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/Dec/38ExploitMailing ListThird Party Advisory
- https://trovent.github.io/security-advisories/TRSA-2109-01/TRSA-2109-01.txtExploitThird Party Advisory
- https://trovent.io/security-advisory-2109-01ExploitThird Party Advisory
FAQ
What is CVE-2021-41843?
CVE-2021-41843 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as d...
How severe is CVE-2021-41843?
CVE-2021-41843 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41843?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.