Skip to main content

Librehealth Ehr CVE-2020-11437

MEDIUM
SQL Injection (CWE-89)
2020-07-15 cve@mitre.org
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 15, 2020 - 20:15 nvd
MEDIUM 4.3

DescriptionNVD

LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database.

AnalysisAI

LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database. Affected products include: Librehealth Librehealth Ehr.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2020-11436 CRITICAL POC
9.0 Jul 15

LibreHealth EMR v2.0.0 is vulnerable to XSS that results in the ability to force arbitrary actions on behalf of other us

CVE-2022-31496 HIGH POC
8.8 Jun 09

LibreHealth EHR Base 2.0.0 allows incorrect interface/super/manage_site_files.php access. Rated high severity (CVSS 8.8)

CVE-2022-29938 HIGH POC
8.8 May 05

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via

CVE-2020-23829 HIGH POC
8.8 Sep 01

interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerabilit

CVE-2020-11439 HIGH POC
8.8 Jul 15

LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed wi

CVE-2020-11438 HIGH POC
8.8 Jul 15

LibreHealth EMR v2.0.0 is affected by systemic CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2018-1000839 HIGH POC
8.8 Dec 20

LH-EHR version REL-2_0_0 contains a Arbitrary File Upload vulnerability in Profile picture upload that can result in Rem

CVE-2018-1000650 HIGH POC
8.8 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions t

CVE-2018-1000649 HIGH POC
8.8 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write in letter.php (2) vulnerability

CVE-2018-1000648 HIGH POC
8.8 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write vulnerability in Patient file le

CVE-2018-1000646 HIGH POC
8.8 Aug 20

LibreHealthIO LH-EHR version REL-2.0.0 contains an Authenticated Unrestricted File Write vulnerability in Import templat

CVE-2018-1000647 HIGH POC
7.1 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Deletion vulnerability in Import templ

Share

CVE-2020-11437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy