Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

OpenEMR 5.0.1(6) - Technical Advisory Release

Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.


OpenEMR is the world’s most popular open source electronic health records and medical practice management solution, and is used globally to manage millions of patient records.

We recently discovered several security vulnerabilities within Version 5.0.1(6) with potentially severe implications. While these issues have been resolved in Version 5.0.2, the wide distribution of earlier versions plus the impact of successful exploitation requires us to publish the details of our discoveries.

Identified vulnerabilities include remote code execution (CVE-2019-8371) and several instances of cross-site scripting (CVE-2019-8368). Successful exploitation of the identified vulnerabilities could lead to server compromise and allow an administrative attacker to execute code on the underlying server. In all situations, sensitive patient information would be at risk.

After closely working with the vendor, we are releasing the details in accordance with our Responsible Disclosure Policy. You can find more information and specific technical information by reading the OpenEMR Advisory.

As of this writing, OpenEMR has announced no plans to issue further patches for Version 5.0.1. While unconfirmed, we also highly suspect these vulnerabilities exist in earlier releases. Users are strongly urged to upgrade to Version 5.0.2, which rectifies these issues.

For more information, please refer to OpenEMR.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Chris davis

About the author, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.