CVE-2018-17179

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 5.0.1 Patch 7

Description The issue is related to the lack of validation of XML object sequences in the make task function of OpenEMR, which can be exploited by a remote attacker to conduct SQL injection attacks. The vulnerability is present in the make task function in /interface/forms/eye mag/php/taskman functions.php, accessible via /interface/forms/eye mag/taskman.php.

Recommendations For OpenEMR versions prior to 5.0.1 Patch 7, update to version 5.0.1 Patch 7 or later to resolve the issue. As a temporary workaround, consider restricting access to the make task function in /interface/forms/eye mag/php/taskman functions.php to minimize the risk of exploitation. Avoid using the /interface/forms/eye mag/taskman.php endpoint until the issue is resolved.