CVE-2023-22974

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 7.0.0

Description The issue is related to a Path Traversal vulnerability in the setup.php file of OpenEMR. This vulnerability allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server. The vulnerability is due to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to gain unauthorized access to protected information.

Recommendations For OpenEMR versions prior to 7.0.0, update to version 7.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the setup.php file until a patch is available. Avoid using the setup.php file to connect to external MySQL servers until the issue is resolved.