Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accounting account can upload file as Admin account #3875

Open
khanhnv-2091 opened this issue Aug 21, 2020 · 2 comments
Open

Accounting account can upload file as Admin account #3875

khanhnv-2091 opened this issue Aug 21, 2020 · 2 comments
Labels
Bug Security

Comments

@khanhnv-2091
Copy link

khanhnv-2091 commented Aug 21, 2020
edited

I just discovered a vulnerability that allows an accounting account to upload files like an admin account
POC: https://drive.google.com/file/d/1uMVhHLkvf5bdAt0__vq8wG1hcHAaHALy/view?usp=sharing
If you need any further information don't hesitate to email me: nguyenkhanh.actvn@gmail.com
@fabriziofadigati
Copy link

Hi @khanhnv-2091,
I tried to replicate the steps from the video but I see OpenEMR is completely different now.
There is no an accounting account (now it's called accountant).

@tywrenn I think the issue could be closed

@tywrenn
Copy link
Contributor

tywrenn commented May 9, 2021

@sjpadgett Can u help me verify that this issue was fixed? I've been working a full-time job and barely have spare time on this nowadays lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tywrenn @khanhnv-2091 @fabriziofadigati