CVE-2023-24610

Name of the Vulnerable Software and Affected Versions NOSH version 4a5cfdb

Description The issue allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed, potentially enabling attackers to steal Protected Health Information due to the product's purpose for health charting. This is related to an unlimited file upload vulnerability in the Organization/Practice module of the New Open Source Health (NOSH) ChartingSystem, which can allow a remote attacker to execute arbitrary code and gain full control over the system.

Recommendations For NOSH version 4a5cfdb, consider disabling the "practice logo" upload feature until a patch is available to prevent the execution of arbitrary PHP code. Restrict access to the file upload functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.