CVE-2020-29139

Name of the Vulnerable Software and Affected Versions: OpenEMR versions prior to 5.0.2.5

Description: A SQL injection issue allows a remote authenticated attacker to execute arbitrary SQL commands. The issue is related to the searchFields parameter in the interface/main/finder/patient select.php file, which is part of the library/patient.inc library.

Recommendations: For versions prior to 5.0.2.5, update to version 5.0.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the patient select.php file or avoiding the use of the searchFields parameter until the issue is resolved.