CVE-2024-22611: 
OpenEMR vulnerability analysis and mitigation

OpenEMR 7.0.2 contains a SQL injection vulnerability in the pharmacy module that can be exploited by authenticated attackers through the web interface. The vulnerability was discovered by Le Quoc Bao from HPT Vietnam Corporation on January 2, 2024, and was assigned CVE-2024-22611. The vulnerability exists due to insufficient input validation in the pharmacy listing functionality (GitHub Advisory).

The vulnerability occurs in three main files: \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php, and \openemr\controller.php. The issue stems from user-supplied input in the sort parameter being directly concatenated into SQL queries without proper sanitization. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

The vulnerability can lead to unauthorized access to database information, potential data breach of sensitive medical information, server-side code execution in some cases, and database compromise (GitHub Advisory).

Recommended mitigations include implementing strict input validation for all user-supplied parameters, using parameterized queries or prepared statements, applying proper escaping and sanitization of user inputs, implementing proper error handling, using secure database access libraries, following the principle of least privilege for database access, implementing a Web Application Firewall (WAF), conducting regular security audits and penetration testing, and keeping the system and all components up to date (GitHub Advisory).