CVE-2021-25923

EUVD-2021-12789
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
open-emropenemr
5.0.0 ≤
𝑥
≤ 6.0.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/openemr/openemr/commit/28ca5c008d4a408b60001a67dfd3e0915f9181e0
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25923
https://github.com/openemr/openemr/commit/28ca5c008d4a408b60001a67dfd3e0915f9181e0
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25923