CVE-2013-4619

Name of the Vulnerable Software and Affected Versions OpenEMR version 4.1.1

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the start or end parameter to the "interface/reports/custom report range.php" endpoint, or the form newid parameter to the "custom/chart tracker.php" endpoint.

Recommendations For OpenEMR version 4.1.1, consider restricting access to the vulnerable endpoints "interface/reports/custom report range.php" and "custom/chart tracker.php" to minimize the risk of exploitation. Avoid using the start, end, and form newid parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.