CVE-2021-25920

Name of the Vulnerable Software and Affected Versions OpenEMR versions v2.7.2-rc1 through 6.0.0

Description The issue concerns Improper Access Control when creating a new user. This allows a malicious user to read and send sensitive messages on behalf of the victim user.

Recommendations For OpenEMR versions v2.7.2-rc1 through 6.0.0, consider restricting access to user creation functionality until a patch is available. As a temporary workaround, limit the privileges of newly created users to prevent them from reading or sending sensitive messages. Additionally, monitor user activity closely for any signs of unauthorized access or message sending. At the moment, there is no information about a newer version that contains a fix for this vulnerability.