Skip to main content

Librehealth Ehr CVE-2020-11438

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2020-07-15 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 15, 2020 - 20:15 nvd
HIGH 8.8

DescriptionNVD

LibreHealth EMR v2.0.0 is affected by systemic CSRF.

AnalysisAI

LibreHealth EMR v2.0.0 is affected by systemic CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Affected products include: Librehealth Librehealth Ehr.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2020-11436 CRITICAL POC
9.0 Jul 15

LibreHealth EMR v2.0.0 is vulnerable to XSS that results in the ability to force arbitrary actions on behalf of other us

CVE-2022-31496 HIGH POC
8.8 Jun 09

LibreHealth EHR Base 2.0.0 allows incorrect interface/super/manage_site_files.php access. Rated high severity (CVSS 8.8)

CVE-2022-29938 HIGH POC
8.8 May 05

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via

CVE-2020-23829 HIGH POC
8.8 Sep 01

interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerabilit

CVE-2020-11439 HIGH POC
8.8 Jul 15

LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed wi

CVE-2018-1000839 HIGH POC
8.8 Dec 20

LH-EHR version REL-2_0_0 contains a Arbitrary File Upload vulnerability in Profile picture upload that can result in Rem

CVE-2018-1000650 HIGH POC
8.8 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions t

CVE-2018-1000649 HIGH POC
8.8 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write in letter.php (2) vulnerability

CVE-2018-1000648 HIGH POC
8.8 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write vulnerability in Patient file le

CVE-2018-1000646 HIGH POC
8.8 Aug 20

LibreHealthIO LH-EHR version REL-2.0.0 contains an Authenticated Unrestricted File Write vulnerability in Import templat

CVE-2018-1000647 HIGH POC
7.1 Aug 20

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Deletion vulnerability in Import templ

CVE-2018-1000645 MEDIUM POC
6.5 Aug 20

LibreHealthIO lh-ehr version <REL-2.0.0 contains an Authenticated Local File Disclosure vulnerability in Importing of te

Share

CVE-2020-11438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy