CVE-2018-1000648

Name of the Vulnerable Software and Affected Versions LibreHealthIO lh-ehr version REL-2.0.0

Description The issue concerns an authenticated unrestricted file write vulnerability in patient file letter functions. This can lead to writing files with malicious content, potentially resulting in remote code execution. The attack is exploitable via user-controlled parameters, such as username or file content, in API endpoints like "/patient/file/letter".

Recommendations For LibreHealthIO lh-ehr version REL-2.0.0, consider restricting access to the patient file letter functions until a patch is available. As a temporary workaround, restrict the use of user-controlled parameters in the vulnerable functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.