CVE-2021-32101

Name of the Vulnerable Software and Affected Versions OpenEMR version 5.0.2.1

Description The issue is related to insufficient permission assignment checks for a critical resource in the portal/patient/ machine config.php component of OpenEMR. This can allow a remote attacker to gain unauthorized access to protected information. An unauthenticated attacker can exploit this by registering an account and bypassing the permission check of the portal's API, then manipulating and reading data of every registered patient.

Recommendations For OpenEMR version 5.0.2.1, consider restricting access to the portal/patient/ machine config.php component until a patch is available. As a temporary workaround, limit the registration of new accounts and closely monitor API activity to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.