CVE-2018-15141

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 5.0.1.4

Description The issue allows a remote attacker authenticated in the patient portal to delete arbitrary files. This is achieved via the docid parameter when the mode is set to delete in the /portal/import template.php endpoint.

Recommendations For versions prior to 5.0.1.4, update to version 5.0.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /portal/import template.php endpoint or disabling the delete mode to minimize the risk of exploitation. Avoid using the docid parameter in the affected endpoint until the issue is resolved.