CVE-2017-16540

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 5.0.0 Patch 5

Description The issue allows unauthenticated remote database copying. This is possible because setup.php exposes functionality for cloning an existing site to an arbitrary attacker-controlled MySQL server via vectors involving a crafted state parameter.

Recommendations For versions prior to 5.0.0 Patch 5, update to version 5.0.0 Patch 5 to resolve the issue. As a temporary workaround, consider restricting access to the setup.php file to minimize the risk of exploitation.