CVE-2018-17181

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 5.0.1 Patch 7

Description An issue exists in the software, where SQL Injection is present in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.

Recommendations For versions prior to 5.0.1 Patch 7, update to version 5.0.1 Patch 7 or later to resolve the issue. As a temporary workaround, consider restricting access to the /portal/lib/paylib.php and /portal/lib/appsql.class.php files until a patch is applied. Avoid using the SaveAudit and portalAudit functions in the affected API endpoints until the issue is resolved.