CVE-2018-15152
published 2018-08-15CVE-2018-15152: Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1)…
PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
25.94%
97.7th percentile
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | < 5.0.1.4 | 5.0.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to sensitive portal PHP pages where the HTTP Referer header is set to the registration page (/portal/account/register.php). This is the mechanism used to bypass authentication. ↗
- →Alert on unauthenticated HTTP GET requests to any of the sensitive portal paths (e.g. get_profile.php, get_patient_documents.php, portal_payment.php) that are preceded in the same session by a GET to /portal/account/register.php. ↗
- →Check for the string 'Enter email address to receive registration.' in responses from /portal/account/register.php — its presence confirms the patient registration portal is enabled and the target is exploitable. ↗
- ·The exploit only works if the Patient Portal registration feature is enabled on the OpenEMR instance. If registration is disabled, the bypass is not possible. ↗
- ·Affected versions are all OpenEMR releases prior to 5.0.1.4. Instances already patched to 5.0.1.4 or later are not vulnerable. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenEMR 5.0.1.3 - Authentication Bypass
exploitdb·2021-06-16·CVSS 9.1
CVE-2018-15152 [CRITICAL] OpenEMR 5.0.1.3 - Authentication Bypass
OpenEMR 5.0.1.3 - Authentication Bypass
---
# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
# Date 15.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: All versions prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15152
# CWE: CWE-287
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit
'''
Description:
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to
the registration page and modifying the requested url to access the desired page. Some
examples of pages in the portal directory that are accessible after browsing to the
registration
Exploit-DB
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
exploitdb·2018-01-08·CVSS 5.3
CVE-2017-9554 [MEDIUM] Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
---
# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
# Date: 01/05/2018
# Exploit Author: Steve Kaun
# Vendor Homepage: https://www.synology.com
# Version: Before 6.1.3-15152
# CVE : CVE-2017-9554
Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi
Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.
"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163181/OpenEMR-5.0.1.3-Authentication-Bypass.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-15152-Exploithttps://github.com/openemr/openemr/pull/1758/fileshttps://insecurity.sh/reports/openemr.pdfhttps://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/https://www.open-emr.org/wiki/index.php/OpenEMR_Patcheshttp://packetstormsecurity.com/files/163181/OpenEMR-5.0.1.3-Authentication-Bypass.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-15152-Exploithttps://github.com/openemr/openemr/pull/1758/fileshttps://insecurity.sh/reports/openemr.pdfhttps://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/https://www.open-emr.org/wiki/index.php/OpenEMR_Patches
2018-08-15
Published