CVE-2013-10044

High CVSS 8.7

Overview

An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.

CWE: CWE-89 Published: 2025-08-01T21:15:26.030

Risk analysis

This vulnerability is rated 🟠 HIGH.

CVSS: 8.7 (HIGH)
Detected tags: rce, sql, upload (tag impact: VERY HIGH)

Recommended actions:

Patch/upgrade immediately (remote code execution).
Reduce exposure (WAF/segmentation), minimize attack surface.
Use parameterized queries/ORM (avoid string concatenation).
Add WAF rules and input validation.
Restrict types/MIME, store outside web root, inspect content.

Overview

Recommended tools

Tags