Dennis Brinkrolf

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 7.0.0 **Description** The issue is related to a Path Traversal vulnerability in the setup.php file of OpenEMR. This vulnerability allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server. The vulnerability is due to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For OpenEMR versions prior to 7.0.0, update to version 7.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the setup.php file until a patch is available. Avoid using the setup.php file to connect to external MySQL servers until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 7.0.0 **Description** A Local File Inclusion (LFI) issue in the interface/forms/LBF/new.php file allows remote authenticated users to execute code via the `formname` parameter. This can be exploited by authenticated users, potentially leading to code execution. **Recommendations** For versions prior to 7.0.0, update to version 7.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `interface/forms/LBF/new.php` file or disabling the `formname` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Django versions 2.2 before 2.2.26 Django versions 3.2 before 3.2.11 Django versions 4.0 before 4.0.1 **Description** The issue is related to the dictsort template filter in Django, which could potentially lead to information disclosure or an unintended method call if passed a suitably crafted key. This is due to the leveraging of the Django Template Language's variable resolution logic. The vulnerability may allow a remote attacker to obtain confidential system information. **Recommendations** For Django versions 2.2 before 2.2.26, update to version 2.2.26 or later. For Django versions 3.2 before 3.2.11, update to version 3.2.11 or later. For Django versions 4.0 before 4.0.1, update to version 4.0.1 or later. As a temporary workaround, consider restricting the use of the dictsort template filter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Django versions 2.2 through 2.2.25 Django versions 3.2 through 3.2.10 Django versions 4.0 through 4.0.0 **Description** The issue is related to the `Storage.save()` function in the Django web application framework, which is associated with incorrect restriction of the path name to a limited directory, allowing directory traversal. This can be exploited by a remote attacker to access confidential information by sending a specially crafted HTTP file to the application. The vulnerability can be exploited by passing crafted filenames directly to the `Storage.save()` function, allowing an attacker to write files outside the intended directory. **Recommendations** For Django versions 2.2 through 2.2.25, update to version 2.2.26 or later. For Django versions 3.2 through 3.2.10, update to version 3.2.11 or later. For Django versions 4.0 through 4.0.0, update to version 4.0.1 or later. As a temporary workaround, consider restricting access to the `Storage.save()` function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Emissary version 5.9.0 Description: The issue allows an authenticated user to read arbitrary files. This is achieved via the `ConfigName` parameter in the ConfigFileAction component. Recommendations: For Emissary version 5.9.0, consider restricting access to the ConfigFileAction component to prevent unauthorized file reading until a patch is available. As a temporary workaround, limit the use of the `ConfigName` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Emissary version 5.9.0 Description: The issue allows an authenticated user to upload arbitrary files. Recommendations: For version 5.9.0, consider restricting file upload capabilities to authorized users as a temporary mitigation measure until a patch is available.

Name of the Vulnerable Software and Affected Versions: Emissary version 5.9.0 Description: The issue allows an authenticated user to delete arbitrary files. Recommendations: For version 5.9.0, restrict file deletion privileges to prevent unauthorized access until a patch is available.

Name of the Vulnerable Software and Affected Versions: Emissary version 5.9.0 Description: The issue allows for a CSRF attack, which can result in injecting arbitrary Ruby code via the `CONSOLE COMMAND STRING` parameter. This can lead to an eval call, potentially allowing an attacker to execute malicious code. Recommendations: For Emissary version 5.9.0, as a temporary workaround, consider restricting access to the ConsoleAction component to minimize the risk of exploitation. Avoid using the `CONSOLE COMMAND STRING` parameter in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Artica Pandora FMS version 742 Description: A remote file inclusion issue exists, which can be exploited by a user with the lowest privileges. Recommendations: For Artica Pandora FMS version 742, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenEMR version 5.0.2.1 Description: A SQL injection issue exists in the library/custom template/ajax code.php file, allowing exploitation with user privileges. Recommendations: For OpenEMR version 5.0.2.1, consider restricting access to the vulnerable file library/custom template/ajax code.php to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenEMR versions prior to 5.0.2.1 Description: A Stored XSS issue allows an admin authenticated user to inject arbitrary web script or HTML via the `lname` parameter in the interface/usergroup/usergroup admin.php file. Recommendations: For versions prior to 5.0.2.1, update to version 5.0.2.1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: OpenEMR version 5.0.2.1 Description: A SQL injection issue exists in the interface/forms/eye mag/save.php file, allowing exploitation with user privileges. Recommendations: For OpenEMR version 5.0.2.1, consider restricting access to the vulnerable save.php file until a patch is available. As a temporary workaround, avoid using user input in SQL queries to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenEMR version 5.0.2.1 **Description** The issue is related to insufficient permission assignment checks for a critical resource in the portal/patient/ machine config.php component of OpenEMR. This can allow a remote attacker to gain unauthorized access to protected information. An unauthenticated attacker can exploit this by registering an account and bypassing the permission check of the portal's API, then manipulating and reading data of every registered patient. **Recommendations** For OpenEMR version 5.0.2.1, consider restricting access to the portal/patient/ machine config.php component until a patch is available. As a temporary workaround, limit the registration of new accounts and closely monitor API activity to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Artica Pandora FMS version 742 Description: The issue allows unauthenticated attackers to perform Phar deserialization. Recommendations: For Artica Pandora FMS version 742, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: StackLift LocalStack version 0.12.6 Description: The issue allows attackers to inject arbitrary shell commands via the `functionName` parameter in the dashboard component. This could potentially lead to unauthorized access and execution of malicious commands. Recommendations: For StackLift LocalStack version 0.12.6, consider restricting access to the dashboard component to minimize the risk of exploitation. Avoid using the `functionName` parameter in the affected dashboard component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: StackLift LocalStack version 0.12.6 Description: A Cross-site scripting (XSS) issue exists. Recommendations: For version 0.12.6, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: U.S. National Security Agency (NSA) Emissary version 5.9.0 Description: A Cross-site scripting (XSS) issue in the DocumentAction component allows remote attackers to inject arbitrary web script or HTML via the `uuid` parameter. Recommendations: For U.S. National Security Agency (NSA) Emissary version 5.9.0, consider restricting access to the DocumentAction component until a fix is available, and avoid using the `uuid` parameter in affected API endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Django versions 2.2 before 2.2.20 Django versions 3.0 before 3.0.14 Django versions 3.1 before 3.1.8 **Description** The issue is related to the MultiPartParser component in Django, which has a directory path restriction flaw. This flaw can be exploited by a remote attacker using files with specially crafted names, potentially allowing access to confidential data. The built-in upload handlers are not affected by this issue. **Recommendations** For Django versions 2.2 before 2.2.20, update to version 2.2.20 or later. For Django versions 3.0 before 3.0.14, update to version 3.0.14 or later. For Django versions 3.1 before 3.1.8, update to version 3.1.8 or later.

**Name of the Vulnerable Software and Affected Versions** CiviCRM versions prior to 5.28.1 CiviCRM ESR versions prior to 5.27.5 ESR **Description** The issue is related to the CKEditor configuration form in CiviCRM, which allows Cross-Site Request Forgery (CSRF). This could potentially allow a remote attacker to impact data integrity. **Recommendations** For CiviCRM versions prior to 5.28.1, update to version 5.28.1 or later. For CiviCRM ESR versions prior to 5.27.5 ESR, update to version 5.27.5 ESR or later.

**Name of the Vulnerable Software and Affected Versions** CiviCRM versions 5.22.x through 5.24.x before 5.24.3 CiviCRM versions prior to 5.21.3 **Description** The issue in CiviCRM is related to the possibility of uploading and executing PHAR archives. Exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For CiviCRM versions prior to 5.21.3, update to version 5.21.3 or later. For CiviCRM versions 5.22.x through 5.24.x before 5.24.3, update to version 5.24.3 or later. As a temporary workaround, consider restricting the ability to upload and execute PHAR archives until a patch is available.