cbcvebase.
CVE-2018-15152
published 2018-08-15

CVE-2018-15152: Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1)…

PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
25.94%
97.7th percentile
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-emropenemr< 5.0.1.45.0.1.4

Detection & IOCsextracted from sources · hover to see the quote

path/portal/account/register.php
path/portal/add_edit_event_user.php
path/portal/find_appt_popup_user.php
path/portal/get_allergies.php
path/portal/get_amendments.php
path/portal/get_lab_results.php
path/portal/get_medications.php
path/portal/get_patient_documents.php
path/portal/get_problems.php
path/portal/get_profile.php
path/portal/portal_payment.php
path/portal/messaging/messages.php
path/portal/messaging/secure_chat.php
path/portal/report/pat_ledger.php
path/portal/report/portal_custom_report.php
path/portal/report/portal_patient_report.php
  • Detect unauthenticated GET requests to sensitive portal PHP pages where the HTTP Referer header is set to the registration page (/portal/account/register.php). This is the mechanism used to bypass authentication.
  • Alert on unauthenticated HTTP GET requests to any of the sensitive portal paths (e.g. get_profile.php, get_patient_documents.php, portal_payment.php) that are preceded in the same session by a GET to /portal/account/register.php.
  • Check for the string 'Enter email address to receive registration.' in responses from /portal/account/register.php — its presence confirms the patient registration portal is enabled and the target is exploitable.
  • ·The exploit only works if the Patient Portal registration feature is enabled on the OpenEMR instance. If registration is disabled, the bypass is not possible.
  • ·Affected versions are all OpenEMR releases prior to 5.0.1.4. Instances already patched to 5.0.1.4 or later are not vulnerable.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.