PT-2018-9503 · Librehealthio · Librehealthio Lh-Ehr

Prodigysml

Published

2018-08-20

Updated

2018-10-16

CVE-2018-1000650

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions LibreHealthIO lh-ehr version REL-2.0.0

Description The issue concerns a SQL Injection vulnerability in the Show Groups Popup SQL query functions. This can allow an attacker to perform malicious database queries. The attack is exploitable via user-controlled parameters, such as username or other input fields, although specific parameters are not mentioned.

Recommendations For LibreHealthIO lh-ehr version REL-2.0.0, consider restricting access to the Show Groups Popup SQL query functions until a patch is available. As a temporary workaround, avoid using user-controlled input in the affected SQL query functions to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-1000650

Affected Products

Librehealthio Lh-Ehr

PT-2018-9503 · Librehealthio · Librehealthio Lh-Ehr

CVE-2018-1000650

Weakness Enumeration

Related Identifiers

Affected Products

References · 4