Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-2493

Summary
Assigner-@huntrdev
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-22 Jul, 2022 | 03:47
Updated At-03 Aug, 2024 | 00:39
Rejected At-
Credits

Data Access from Outside Expected Data Manager Component in openemr/openemr

Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntrdev
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:22 Jul, 2022 | 03:47
Updated At:03 Aug, 2024 | 00:39
Rejected At:
▼CVE Numbering Authority (CNA)
Data Access from Outside Expected Data Manager Component in openemr/openemr

Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.

Affected Products
Vendor
OpenEMR Foundation, Incopenemr
Product
openemr/openemr
Versions
Affected
  • From unspecified before 7.0.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-1083CWE-1083 Data Access from Outside Expected Data Manager Component
Type: CWE
CWE ID: CWE-1083
Description: CWE-1083 Data Access from Outside Expected Data Manager Component
Metrics
VersionBase scoreBase severityVector
3.08.3HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Version: 3.0
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/8a4d54e2-e1cd-47c3-9304-ac8be87c80f1
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908
x_refsource_MISC
Hyperlink: https://huntr.dev/bounties/8a4d54e2-e1cd-47c3-9304-ac8be87c80f1
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/8a4d54e2-e1cd-47c3-9304-ac8be87c80f1
x_refsource_CONFIRM
x_transferred
https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908
x_refsource_MISC
x_transferred
Hyperlink: https://huntr.dev/bounties/8a4d54e2-e1cd-47c3-9304-ac8be87c80f1
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:22 Jul, 2022 | 04:15
Updated At:27 Jul, 2022 | 19:36

Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Secondary3.08.3HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Type: Primary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.0
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CPE Matches
OpenEMR Foundation, Inc
open-emr
>>openemr>>Versions before 7.0.0(exclusive)
cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE-1083Secondarysecurity@huntr.dev
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-1083
Type: Secondary
Source: security@huntr.dev
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908security@huntr.dev
Patch
Third Party Advisory
https://huntr.dev/bounties/8a4d54e2-e1cd-47c3-9304-ac8be87c80f1security@huntr.dev
Exploit
Patch
Third Party Advisory
Hyperlink: https://github.com/openemr/openemr/commit/871ae5198d8ca18fd17257ae7c5c906a52dca908
Source: security@huntr.dev
Resource:
Patch
Third Party Advisory
Hyperlink: https://huntr.dev/bounties/8a4d54e2-e1cd-47c3-9304-ac8be87c80f1
Source: security@huntr.dev
Resource:
Exploit
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2026-24890
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.03% / 7.72%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 18:10
Updated-27 Feb, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenEMR Portal Users Can Forge Provider Signatures

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures by setting `type=admin-signature` and specifying any provider user ID. This could potentially lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs when portal users are allowed to modify provider signatures without proper authorization checks. Version 8.0.0 fixes the issue.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr
CWE ID-CWE-285
Improper Authorization
CVE-2026-25164
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.03% / 7.72%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 18:22
Updated-27 Feb, 2026 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenEMR's Document and Insurance REST Endpoints Skip ACL

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr
CWE ID-CWE-862
Missing Authorization
CVE-2023-2946
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 24.41%
||
7 Day CHG~0.00%
Published-27 May, 2023 | 00:00
Updated-14 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in openemr/openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-284
Improper Access Control
CVE-2023-2950
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.45% / 63.25%
||
7 Day CHG~0.00%
Published-28 May, 2023 | 00:00
Updated-14 Jan, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authorization in openemr/openemr

Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-285
Improper Authorization
CVE-2022-4567
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.17% / 37.49%
||
7 Day CHG~0.00%
Published-17 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in openemr/openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-284
Improper Access Control
CVE-2023-2942
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.43% / 62.03%
||
7 Day CHG~0.00%
Published-27 May, 2023 | 00:00
Updated-14 Jan, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in openemr/openemr

Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-20
Improper Input Validation
CVE-2022-25471
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-1.30% / 79.50%
||
7 Day CHG~0.00%
Published-02 Mar, 2022 | 23:07
Updated-03 Aug, 2024 | 04:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.

Action-Not Available
Vendor-n/aOpenEMR Foundation, Inc
Product-openemrn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-1459
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.3||HIGH
EPSS-0.47% / 64.30%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 09:55
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Non-Privilege User Can View Patient’s Disclosures in openemr/openemr

Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-1118
Insufficient Documentation of Error Handling Techniques
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found