cbcvebase.
CVE-2019-14530
published 2019-08-13

CVE-2019-14530: An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
66.89%
99.2th percentile
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-emropenemr< 5.0.25.0.2

Detection & IOCsextracted from sources · hover to see the quote

path/custom/ajax_download.php
path/var/www/openemr/sites/default/documents/cqm_qrda/
url/custom/ajax_download.php?fileName=../../../../../../../../..
url/custom/ajax_download.php?fileName=../../../../../../../../../etc/passwd
url/interface/main/main_screen.php?auth=login&site=default
  • Look for GET requests to /custom/ajax_download.php with a fileName parameter containing path traversal sequences (e.g., '../') as a strong indicator of exploitation attempts.
  • HTTP response header containing 'filename=passwd' (or other sensitive filenames) from the OpenEMR server indicates successful file exfiltration via this vulnerability.
  • Shodan/FOFA queries for exposed OpenEMR instances can be used to identify attack surface: search for http.html:"openemr", http.title:"openemr", or favicon hash 1971268439.
  • ·The destructive file-deletion side effect only triggers if the target file is writable by www-data AND the specific directory exists on the server; absence of the directory prevents deletion but not exfiltration.
  • ·The vulnerability requires prior authentication; unauthenticated exploitation is not possible. Detection rules should account for the authenticated session context.
  • ·All OpenEMR versions prior to 5.0.2 are affected, including 5.0.1.7 which is the version used in public PoC exploits.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.