CVE Vulnerabilities

CVE-2018-1000648

Improper Privilege Management

Published: Aug 20, 2018 | Modified: Oct 03, 2019
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write vulnerability in Patient file letter functions that can result in Write files with malicious content and may lead to remote code execution. This attack appear to be exploitable via User controlled parameters.

Weakness

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Librehealth_ehr Librehealth 2.0.0 2.0.0

Potential Mitigations

References