Gerben Kleijn

**Name of the Vulnerable Software and Affected Versions** OpenClinic version 0.8.2 **Description** The issue allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application. This can be done via a direct request for the "/tests/" URI. **Recommendations** For OpenClinic version 0.8.2, consider restricting access to the "/tests/" URI until a patch is available. As a temporary workaround, implement proper authentication mechanisms to prevent unauthenticated access to patient medical test results.

**Name of the Vulnerable Software and Affected Versions** OpenClinic version 0.8.2 **Description** The issue is a stored XSS vulnerability in lib/Check.php, allowing users to force actions on behalf of other users. **Recommendations** For OpenClinic version 0.8.2, consider restricting access to the lib/Check.php file until a patch is available. As a temporary workaround, avoid using the application's functionality that relies on this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenClinic version 0.8.2 **Description** The issue allows authenticated users with substantial privileges to upload malicious files, such as PHP web shells, to the `medical/test new.php` endpoint, which can lead to arbitrary code execution on the application server. **Recommendations** For OpenClinic version 0.8.2, consider disabling the file upload functionality in `medical/test new.php` until a patch is available to prevent exploitation. Restrict access to this endpoint to minimize the risk of uploading malicious files.