cbcvebase.
CVE-2013-10044
published 2025-08-01

CVE-2013-10044: An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.28%
66.5th percentile
An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.

Affected

2 ranges
VendorProductVersion rangeFixed in
open-emropenemr<= 4.1.1
openemr_foundationopenemr<= 4.1.1 Patch 14

Detection & IOCsextracted from sources · hover to see the quote

pathnew_comprehensive_save.php
pathmanage_site_files.php
  • Monitor HTTP requests to 'new_comprehensive_save.php' from low-privileged authenticated sessions for SQL injection patterns (e.g., UNION SELECT, stacked queries) targeting credential extraction.
  • Alert on file upload activity to 'manage_site_files.php' following a privilege escalation event or admin login from an unusual source, as this endpoint is used for arbitrary code upload post-exploitation.
  • Detect extraction of SHA1 admin password hashes via SQL injection responses; look for 40-character hex strings in HTTP responses from OpenEMR pages accessed by non-admin users.
  • ·Vulnerability is only exploitable by an authenticated low-privileged user; unauthenticated access alone is insufficient to trigger the SQLi.
  • ·The full exploit chain requires two stages: SQLi credential theft via new_comprehensive_save.php, then RCE via unrestricted file upload through manage_site_files.php — both endpoints must be accessible for full compromise.
  • ·Affected versions are OpenEMR 4.1.1 Patch 14 and lower; ensure version scope is confirmed before applying detections to avoid false positives on patched instances.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.