cbcvebase.
CVE-2018-15139
published 2018-08-13

CVE-2018-15139: Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.27%
97.0th percentile
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-emropenemr< 5.0.1.45.0.1.4

Detection & IOCsextracted from sources · hover to see the quote

pathinterface/super/manage_site_files.php
path/interface/super/manage_site_files.php
path/sites/default/images/
othercontent_type: 'application/x-php'
  • Monitor POST requests to /interface/super/manage_site_files.php containing multipart file uploads with PHP extensions (e.g., .php) in the form_image field, indicating attempted webshell upload.
  • Alert on HTTP GET/POST requests to /sites/default/images/*.php, which indicates execution of an uploaded PHP webshell in the images directory.
  • Detect multipart upload requests to manage_site_files.php where the uploaded file's Content-Type is application/x-php, as used by the exploit to bypass upload restrictions.
  • Detect login attempts to OpenEMR followed immediately by a file upload to manage_site_files.php, as the exploit authenticates then uploads a webshell in sequence.
  • ·The vulnerability affects OpenEMR versions prior to 5.0.1.4 only; patched versions restrict PHP file uploads via the images upload form.
  • ·Exploitation requires prior authentication (valid admin credentials); unauthenticated attackers cannot directly exploit this vulnerability.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.