Openemr · Openemr · CVE-2021-40352
**Name of the Vulnerable Software and Affected Versions**
OpenEMR version 6.0.0
**Description**
The issue allows an attacker to read the messages of all users due to an Insecure Direct Object Reference vulnerability. This can be exploited via the `pnotes print.php` endpoint with the `noteid` parameter.
**Recommendations**
For OpenEMR version 6.0.0, as a temporary workaround, consider restricting access to the `pnotes print.php` endpoint to minimize the risk of exploitation. Avoid using the `noteid` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.