CVE-2018-15147

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 5.0.1.4

Description The issue allows a remote authenticated attacker to execute arbitrary SQL commands. This is achieved via the id parameter in the interface/forms admin/forms admin.php file, which is affected by the SQL injection vulnerability. The library/registry.inc file is also involved in this issue.

Recommendations For versions prior to 5.0.1.4, update to version 5.0.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'id' parameter in the affected interface to minimize the risk of exploitation.