📄 Description (English)
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch.
🤖 AI Executive Summary
OpenEMR versions prior to 8.0.0.3 contain an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet module that allows authenticated users to access, modify, or delete drug sales records for arbitrary patients. This critical healthcare data exposure vulnerability affects medical institutions across Saudi Arabia that rely on OpenEMR for patient record management. Immediate patching to version 8.0.0.3 or later is essential to prevent unauthorized access to sensitive pharmaceutical and financial records.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 04:57
🇸🇦 Saudi Arabia Impact Assessment
Healthcare sector organizations in Saudi Arabia are most critically affected, including private hospitals, clinics, and medical centers using OpenEMR for electronic health records management. The vulnerability directly impacts MEWA (Ministry of Health) affiliated facilities and private healthcare providers. Secondary impact extends to pharmaceutical supply chain management and billing systems. Government health institutions under NCA oversight face compliance violations. Telecom and insurance sectors managing healthcare-related data are also at risk. The exposure of patient pharmaceutical records and associated financial transactions creates significant liability under Saudi healthcare regulations and GDPR-equivalent data protection requirements.
🏢 Affected Saudi Sectors
Healthcare - Hospitals and Clinics
Healthcare - Private Medical Centers
Government Health Institutions
Pharmaceutical Supply Chain
Health Insurance and MEWA
Medical Billing and Finance
Telecom (healthcare data management)
Government (health data custodians)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenEMR instances in your organization and document current versions
2. Restrict fee sheet ACL access to only essential personnel pending patch deployment
3. Enable audit logging for all fee sheet operations (drug_sales table modifications)
4. Review access logs for unauthorized drug_sales record access patterns
PATCHING GUIDANCE:
1. Upgrade OpenEMR to version 8.0.0.3 or later immediately
2. Test patch in non-production environment first
3. Schedule maintenance window for production deployment
4. Verify patch application by checking FeeSheet.class.php contains patient/encounter validation
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement database-level access controls restricting fee sheet queries to current patient context
2. Deploy Web Application Firewall (WAF) rules to detect and block manipulation of prod[][sale_id] parameters
3. Implement row-level security (RLS) on drug_sales table based on patient_id and encounter_id
4. Disable fee sheet functionality for non-essential users
DETECTION RULES:
1. Monitor for SQL queries accessing drug_sales with mismatched patient_id/encounter_id combinations
2. Alert on fee sheet save operations with sale_id values not belonging to current patient
3. Track modifications to drug_sales records by users without direct patient assignment
4. Log all hidden form field manipulations in fee sheet submissions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات OpenEMR في مؤسستك وقثق الإصدارات الحالية
2. قيد الوصول إلى ACL لورقة الرسوم للموظفين الأساسيين فقط قبل نشر التصحيح
3. فعّل تسجيل التدقيق لجميع عمليات ورقة الرسوم (تعديلات جدول drug_sales)
4. راجع سجلات الوصول للكشف عن أنماط الوصول غير المصرح إلى سجلات drug_sales
إرشادات التصحيح:
1. قم بترقية OpenEMR إلى الإصدار 8.0.0.3 أو أحدث على الفور
2. اختبر التصحيح في بيئة غير الإنتاج أولاً
3. جدول نافذة صيانة لنشر الإنتاج
4. تحقق من تطبيق التصحيح بالتحقق من أن FeeSheet.class.php يحتوي على التحقق من المريض/الالتقاء
الضوابط التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ ضوابط الوصول على مستوى قاعدة البيانات تقيد استعلامات ورقة الرسوم لسياق المريض الحالي
2. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن معالجة معاملات prod[][sale_id] وحظرها
3. تنفيذ أمان على مستوى الصف (RLS) على جدول drug_sales بناءً على patient_id و encounter_id
4. تعطيل وظيفة ورقة الرسوم للمستخدمين غير الأساسيين
قواعد الكشف:
1. مراقبة استعلامات SQL التي تصل إلى drug_sales مع عدم تطابق patient_id/encounter_id
2. تنبيه عمليات حفظ ورقة الرسوم مع قيم sale_id لا تنتمي إلى المريض الحالي
3. تتبع التعديلات على سجلات drug_sales من قبل المستخدمين بدون تعيين مريض مباشر
4. تسجيل جميع معالجات حقول النموذج المخفية في عمليات إرسال ورقة الرسوم
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authentication
ECC 2024 A.9.4.3 - Password management and access control
ECC 2024 A.10.1.1 - Information security event logging
ECC 2024 A.12.4.1 - Event logging and monitoring
ECC 2024 A.14.2.1 - Secure development and change management
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset inventory and management
SAMA CSF PR.AC-1 - Access control and authentication
SAMA CSF PR.AC-3 - Access enforcement and least privilege
SAMA CSF DE.AE-1 - Anomalies and events detection
SAMA CSF DE.CM-1 - System monitoring and logging
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.8.22 - Information security incident management
ISO 27001:2022 A.12.4 - Logging and monitoring
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Strong access control measures
PCI DSS 7.1 - Limit access to system components by business need
PCI DSS 10.1 - Implement audit trails for all access
PCI DSS 10.2 - Implement automated audit trails for all access
🔗 References & Sources 4
🔗
https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc
security-advisories@github.com
Patch
🔗
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
security-advisories@github.com
Product
🔗
https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
open-emr:openemr