SQL Injection in Open-emr Openemr

CVE-2012-2115

SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the u parameter.

Vulnerability class: SQL Injection

EPSS: 0.002 (37.2th percentile) — read the EPSS interpretation.

Affected products

Open-emr Openemr — versions 3.1.0, 3.2.0, 4.0.0
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

[oss-security] 20120417 CVE-request: OpenEMR 4.1.0 SQL-injection (mailing-list, x_refsource_MLIST)
[oss-security] 20120418 Re: CVE-request: OpenEMR 4.1.0 SQL-injection (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_MISC)
78132 (x_refsource_OSVDB, vdb-entry)
openemr-validateuser-sql-injection(71983) (vdb-entry, x_refsource_XF)
18274 (Exploit, exploit, x_refsource_EXPLOIT-DB)
51247 (Exploit, vdb-entry, x_refsource_BID)
20120103 SQL Injection Vulnerability in OpenEMR 4.1.0 (mailing-list, x_refsource_FULLDISC)
20120103 SQL Injection Vulnerability in OpenEMR 4.1.0 (mailing-list, x_refsource_BUGTRAQ)
secalert@redhat.com (x_refsource_CONFIRM)