cbcvebase.
CVE-2017-9380
published 2017-06-02

CVE-2017-9380: OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
15.19%
96.3th percentile
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-emropenemr<= 5.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/interface/main/main_screen.php?auth=login&site=default
url/interface/login/login.php?site=default
url/interface/new/new_comprehensive_save.php
url/controller.php?document&upload&patient_id=
otherContent-Type: application/x-php (file upload MIME type for shell upload)
  • Monitor POST requests to /controller.php?document&upload containing multipart file uploads with PHP file extensions (e.g., .php) as the filename, indicating attempted webshell upload via the unrestricted file upload vulnerability.
  • Detect the exploit's sequential authentication + patient registration + file upload pattern: POST to main_screen.php?auth=login, then POST to new_comprehensive_save.php, then POST to controller.php?document&upload — all within the same session.
  • Flag HTTP requests where the POST body to /interface/new/new_comprehensive_save.php is immediately followed by a file upload to /controller.php?document&upload from the same source IP, as this matches the exploit's automated patient-creation-then-upload flow.
  • Look for the specific multipart boundary string '-----------------------------370797319835249590062969815666' in HTTP request bodies, which is a static artifact of this exploit script.
  • ·The exploit requires valid credentials (authenticated low-privilege user); unauthenticated exploitation is not possible. Detection should account for authenticated sessions preceding the upload.
  • ·The vulnerability is exploitable only if the web server serves files from the patient document upload directory. OpenEMR recommends restricting access to this directory, but this is often not enforced.
  • ·The exploit uses p0wny-shell as the uploaded webshell payload; detection of the shell's execution patterns (e.g., exec() calls, cwd traversal) may be relevant for post-exploitation detection.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.