CVE-2020-36243

Name of the Vulnerable Software and Affected Versions: OpenEMR version 5.0.2.1

Description: The Patient Portal of OpenEMR is affected by a Command Injection issue in the /interface/main/backup.php API endpoint. An authenticated attacker can exploit this by sending a POST request that executes arbitrary OS commands via shell metacharacters.

Recommendations: For OpenEMR version 5.0.2.1, consider restricting access to the /interface/main/backup.php endpoint until a patch is available. As a temporary workaround, limit the functionality of the backup feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.