CVE-2019-14530
CVE-2019-14530
Vexday Risk Score
50Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Popular PoC on GitHub (4 stars) — exploitation code widely available.
CVSS —EPSS 66.9%KEV nãoPoC públicaNuclei simMetasploit —Patch —
Lifecycle
13 Aug 2019Public PoC
13 Aug 2019Published on NVD
Weaponization speed
same dayto first PoC
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Plan a near-term fix — a public PoC already exists.
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
Affected products
n/a · n/apublic PoCs found — 5
githubgithub.com/sec-it/exploit-CVE-2019-14530★ 4githubgithub.com/Wezery/CVE-2019-14530★ 0cve_referencepacketstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.htmlunverifiedcve_referencepacketstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50037unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.htmlhttp://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/CVE-2019-14530-Exploithttps://github.com/openemr/openemr/pull/2592https://github.com/Wezery/CVE-2019-14530