CVE-2018-15152

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 5.0.1.4

Description The issue allows a remote attacker to bypass authentication and access various API endpoints, including "portal/add edit event user.php", "portal/find appt popup user.php", "portal/get allergies.php", "portal/get amendments.php", "portal/get lab results.php", "portal/get medications.php", "portal/get patient documents.php", "portal/get problems.php", "portal/get profile.php", "portal/portal payment.php", "portal/messaging/messages.php", "portal/messaging/secure chat.php", "portal/report/pat ledger.php", "portal/report/portal custom report.php", and "portal/report/portal patient report.php" without authenticating as a patient.

Recommendations For versions prior to 5.0.1.4, update to version 5.0.1.4 or later to resolve the issue.