Pavelkohout396

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is an electronic health records and medical practice management application. A DOM-based stored cross-site scripting issue exists in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`). An authenticated user with encounter form write access can inject arbitrary JavaScript that executes in another clinician's browser session when using the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. **Recommendations** Update to OpenEMR version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. The application is susceptible to a stored cross-site scripting (XSS) issue. This occurs due to unescaped `portal login username` within the portal credential print view. A patient portal user can inject an XSS payload as their login username, which then executes in a clinic staff member's browser when the "Create Portal Login" page is accessed for that patient. This allows for a transition from the patient session context to the staff/admin session context. **Recommendations** Versions prior to 8.0.0.2 should be updated to version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is an electronic health records and medical practice management application. A flaw exists where an authenticated, non-administrator user can view reminder messages belonging to other users. This is achieved by manipulating the `sentTo[]` or `sentBy[]` parameters in a GET request to the dated reminders log. The issue allows access to patient names and the content of free-text messages. **Recommendations** Update to OpenEMR version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is an electronic health records and medical practice management application. A flaw exists where an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows authenticated users to invoke controller methods, including `getNotificationLog()`, without proper access control checks. The `AppDispatch` constructor bypasses ACL enforcement, potentially exposing patient appointment data (PHI). **Recommendations** Update to OpenEMR version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the patient portal payment flow. This allows a patient portal user to inject arbitrary JavaScript code that will be executed in the browser of a staff member reviewing the payment submission. The malicious payload is stored in `portal/lib/paylib.php` and rendered without proper sanitization in `portal/portal payment.php`. **Recommendations** Update OpenEMR to version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, names associated with items in the 'Track Anything' feature are taken directly from user input (via POST requests) and displayed in Dygraph charts (titles and labels) without proper sanitization. This allows a user with the ability to create or edit 'Track Anything' items to inject malicious script that will execute when any user views the corresponding graph. The issue involves the use of `innerHTML` or similar methods without escaping, leading to potential cross-site scripting (XSS). The vulnerable component is the rendering of track/item names in Dygraph charts. **Recommendations** Update OpenEMR to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. An incorrect boolean condition within the `ControllerRouter::route()` function results in the administrator/super user access control check being applied only to specific controllers (review, log). This leaves other controllers – alerts, ajax, edit, add, detail, browse – accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations, operations that should require administrator privileges. **Recommendations** Versions prior to 8.0.0.1 should be updated to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the Graphical Pain Map ("clickmap") form. This allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. The `clickmap` form is the point of injection for the malicious script. The vulnerability affects the session cookies, allowing for unauthorized access. **Recommendations** Update OpenEMR to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the prescription CSS/HTML print view via patient demographics. This involves server-side rendering of patient names using a raw PHP echo and client-side DOM-based rendering via jQuery .html() in a separate component (`portal/sign/assets/signer api.js`). The root cause is unsanitized patient names in `patient data`. The issue has different sinks, affected components, and trigger actions, requiring independent fixes. **Recommendations** Versions prior to 8.0.0.1 should be updated to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. The Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata, including claim IDs, payer information, and transmission logs. This endpoint does not enforce the same Access Control List (ACL) as the main billing/claims workflow, allowing authenticated users without appropriate billing permissions to access sensitive data. The vulnerable API endpoint is an AJAX endpoint used by the Claim File Tracker feature. The issue arises because the endpoint does not properly validate user permissions before returning billing claim metadata. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update OpenEMR to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0.1, sensitivity checks for group encounters were not functioning correctly. The code was only checking the `form encounter` table for sensitivity information, while group encounters actually store this information in the `form groups encounter` table. This resulted in sensitivity restrictions not being applied to group encounters, potentially allowing unauthorized users to view sensitive information, such as mental health records. **Recommendations** Upgrade to OpenEMR version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, the dynamic code picker ''/ajax/dynamic code picker'' endpoint returns code descriptions (`code text`) that are rendered in the front end (e.g., DataTables) without HTML escaping. If an administrator or a user with code management rights creates or edits a code with a malicious description containing a script, that script executes in the browser of every user who uses the picker. **Recommendations** Update to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0 **Description** OpenEMR is an electronic health records and medical practice management application. A flaw exists in the Immunization module where user-supplied `patient id` values are directly incorporated into SQL queries without proper sanitization. This allows any authenticated user to execute arbitrary SQL queries, potentially leading to database compromise, unauthorized access to protected health information (PHI), credential theft, and remote code execution. **Recommendations** Update to version 8.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** openCryptoki versions 2.3.2 and above **Description** openCryptoki is a PKCS#11 library used on Linux and AIX systems. Versions 2.3.2 and above are susceptible to symlink-following when operating in privileged contexts. A user belonging to the token-group can redirect file operations to arbitrary filesystem locations by creating symlinks within group-writable token directories, potentially leading to privilege escalation or data exposure. The token and lock directories are configured with 0770 permissions, allowing any token-group member to place files and symlinks inside them. When executed with root privileges, the base code responsible for handling token directory file access, along with several openCryptoki tools used for administrative tasks, may modify the ownership or permissions of existing files within these token directories. An attacker with token-group membership can exploit this issue when an administrator runs a PKCS#11 application or administrative tool that performs `chown` operations on files inside the token directory during routine maintenance. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Traefik versions prior to 2.11.35 and 3.6.7 **Description** Traefik, an HTTP reverse proxy and load balancer, has a potential issue in its ACME TLS certificates' automatic generation. The ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, and then stop responding, leading to a denial of service of the entry point. The vulnerability stems from a lack of timeouts and proper connection closing within the ACME TLS-ALPN handling code, specifically in `pkg/server/router/tcp/router.go`. This allows a client to exhaust server resources by holding open goroutines and file descriptors without a defined limit. **Recommendations** Traefik versions prior to 2.11.35 must be updated. Traefik versions prior to 3.6.7 must be updated.

**Name of the Vulnerable Software and Affected Versions** openCryptoki versions 3.25.0 and 3.26.0 **Description** openCryptoki is a PKCS#11 library and tools for Linux and AIX. A heap buffer overflow exists in the `CKM ECDH AES KEY WRAP` implementation. An attacker with local access can cause out-of-bounds writes in the host process by providing a compressed EC public key and calling `C WrapKey`. This can result in heap corruption or a denial-of-service condition. **Recommendations** Update to a version of openCryptoki newer than 3.26.0.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.8 FreeRDP versions prior to 3.23.0 **Description** FreeRDP, a free implementation of the Remote Desktop Protocol, contains an out-of-bounds read issue in the FreeRDP client’s RDPGFX channel. A malicious RDP server can exploit this by sending a crafted WIRE TO SURFACE 2 Protocol Data Unit (PDU) with a `bitmapDataLength` value exceeding the actual data within the packet. This can result in information disclosure or client crashes when a user connects to a malicious server. The vulnerability occurs when reading uninitialized heap memory. **Recommendations** Update to FreeRDP version 2.11.8 or later. Update to FreeRDP version 3.23.0 or later.