CVE-2019-14530
published 2019-08-13CVE-2019-14530: An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
66.89%
99.2th percentile
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | < 5.0.2 | 5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to /custom/ajax_download.php with a fileName parameter containing path traversal sequences (e.g., '../') as a strong indicator of exploitation attempts. ↗
- →HTTP response header containing 'filename=passwd' (or other sensitive filenames) from the OpenEMR server indicates successful file exfiltration via this vulnerability. ↗
- →Shodan/FOFA queries for exposed OpenEMR instances can be used to identify attack surface: search for http.html:"openemr", http.title:"openemr", or favicon hash 1971268439. ↗
- ·The destructive file-deletion side effect only triggers if the target file is writable by www-data AND the specific directory exists on the server; absence of the directory prevents deletion but not exfiltration. ↗
- ·The vulnerability requires prior authentication; unauthenticated exploitation is not possible. Detection rules should account for the authenticated session context. ↗
- ·All OpenEMR versions prior to 5.0.2 are affected, including 5.0.1.7 which is the version used in public PoC exploits. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
exploitdb·2021-07-05·CVSS 8.8
CVE-2019-14530 [HIGH] OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
---
# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530
# Date: 2021-06-24
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz
# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml
# Version: [--debug]
#{__FILE__} -h | --help
Options:
Root URL (base path) including HTTP scheme, port and root folder
Filename of the file to be read
Username of the admin
Password of the admin
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} exploit http
Exploit-DB
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
exploitdb·2021-06-21·CVSS 8.8
CVE-2019-14530 [HIGH] OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
---
# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
# Date 16.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
# Version: All versions prior to 5.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-14530
# CWE: CWE-22
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md
# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf
'''
Description:
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.
An authenticated attacker can downlo
Nuclei
OpenEMR <5.0.2 - Local File Inclusion
nuclei·CVSS 8.8
CVE-2019-14530 [HIGH] OpenEMR <5.0.2 - Local File Inclusion
OpenEMR <5.0.2 - Local File Inclusion
OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.
Template:
id: CVE-2019-14530
info:
name: OpenEMR <5.0.2 - Local File Inclusion
author: TenBird
severity: high
description: |
OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable fo
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.htmlhttp://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2019-14530-Exploithttps://github.com/Wezery/CVE-2019-14530https://github.com/openemr/openemr/pull/2592http://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.htmlhttp://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2019-14530-Exploithttps://github.com/Wezery/CVE-2019-14530https://github.com/openemr/openemr/pull/2592
2019-08-13
Published