Security Research & Advisories

Vertical Privilege Escalation in OpenEMR

Product OpenEMR
Affected Version(s) 5.0.0 and probably prior
Tested Version(s) 5.0.0 and 5.0.1-dev
Vulnerability Discovery May 21, 2017
Vendor Notification May 23, 2017
Advisory Publication May 23, 2017 [without technical details]
Vendor Acknowledgment May 25, 2017
Vendor Fix N/A
Public Disclosure N/A
Latest Modification May 23, 2017
CVE Identifier(s) CVE-2017-1000241
Product Description OpenEMR is a Free and Open Source electronic health records and medical practice management application. It is ONC Certified and it features fully integrated electronic health records, practice management, scheduling, electronic billing, internationalization, free support, a vibrant community, and a whole lot more.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Vertical Privilege Escalation
Severity: Medium CVSS Score: 5.4 CWE-ID: CWE-269 Status: Partially Fixed
Vulnerability Description
The application OpenEMR version 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator user to view and modify information that should only be reachable to an administrator.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction None Availability Impact None


The Open-EMR web application version 5.0.1-dev and prior is vulnerable to a vertical privilege escalation in at least one place. Exploiting this vulnerability leads to an authenticated user with low privileges (e.g. Front Office) to view and modify information only accessible to administrator users.

The following screenshots shows that it is possible as a user with “Front Office” role to view and modify registered users:

If non-administrator users access the following URL, they are able to view all registered users: /openemr/interface/main/tabs/main.php

In addition, a non-administrator user is able to modify information of registered users. The following screenshot show a request made by the user FO with Front Office privileges adding the parameter “authorized” to on:

When verifying with an administrator user, the change has well been applied:

The following sections are also accessible to non-administrative users:

Log Viewer




Detailed Facilities


Note: Most vulnerabilities have not been fixed as of OpenEMR 5.0.0 patch 7.