CVE-2015-4453

Name of the Vulnerable Software and Affected Versions OpenEMR versions 2.x through 4.1.1 OpenEMR version 4.2.0 before patch 2

Description The issue allows remote attackers to bypass authentication and obtain sensitive information by providing an ignoreAuth=1 value to certain scripts. This is demonstrated by accessing the "interface/fax/fax dispatch newpid.php" and "interface/billing/sl eob search.php" scripts.

Recommendations For OpenEMR versions 2.x through 4.1.1, update to version 4.2.0 patch 2 or later. For OpenEMR version 4.2.0 before patch 2, apply patch 2 to resolve the issue. As a temporary workaround, consider restricting access to the fax dispatch newpid.php and sl eob search.php scripts until the issue is resolved.