Adunsulag

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0 **Description** OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure issue that exposes contact information for users, organizations, and patients to individuals with the system/(Group,Patient,*).$export operation and system/Location.read capabilities. This disclosure requires a confidential client with secure key exchange, which needs to be enabled and granted permission by an administrator. This typically occurs in server-server communication between trusted clients with existing legal agreements. The vulnerable functionality involves the `$export` operation and the `system/Location.read` capability. **Recommendations** Disable clients that have the vulnerable scopes. Only allow clients that do not have the `system/Location.read` scope until a fix has been deployed.