CVE-2020-19364

Name of the Vulnerable Software and Affected Versions: OpenEMR version 5.0.1

Description: The issue allows an authenticated attacker to upload and execute malicious PHP scripts through the "/controller.php" API endpoint. This can be achieved by exploiting the vulnerability in the controller.php file, which does not properly validate uploaded scripts.

Recommendations: For OpenEMR version 5.0.1, consider disabling the upload functionality in the /controller.php endpoint until a patch is available. Restrict access to the /controller.php endpoint to minimize the risk of exploitation. Avoid using this endpoint for uploading scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.