Openemr

OpenEMR before version 8.0.0.3 is vulnerable to XML External Entity (XXE) injection, allowing an authenticated user with access to the Carecoordination module to upload a crafted CCDA document and read arbitrary files from the server.

OpenEMR versions before 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user to delete patient data.

OpenEMR versions prior to 8.0.0.3 are susceptible to a blind SQL injection vulnerability in the Patient Search functionality, allowing authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys.