CVE-2020-19364 – CVE-2020-19364 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2020-19364?

CVE-2020-19364 has a CVSS score of 8.8 (HIGH). CVE-2020-19364 is an unrestricted file upload vulnerability in OpenEMR that allows authenticated attackers to upload and execute malicious PHP scripts via the /controller.php endpoint. This enables remote code execution on affected systems. Any organization running vulnerable OpenEMR versions is at risk.

📋 TL;DR

CVE-2020-19364 is an unrestricted file upload vulnerability in OpenEMR that allows authenticated attackers to upload and execute malicious PHP scripts via the /controller.php endpoint. This enables remote code execution on affected systems. Any organization running vulnerable OpenEMR versions is at risk.

💻 Affected Systems

Products:

OpenEMR

Versions: 5.0.1 and possibly earlier versions

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the OpenEMR application

📦 What is this software?

Openemr by Open Emr

View all CVEs affecting Openemr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Attacker gains shell access to the web server, exfiltrates sensitive patient data, and installs web shells for persistent access.

🟢

If Mitigated

Attack is detected during file upload attempt, blocked by WAF/file validation, or fails due to proper file permission restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user credentials but is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.2 and later

Vendor Advisory: https://github.com/openemr/openemr/security/advisories

Restart Required: No

Instructions:

1. Backup your OpenEMR installation and database. 2. Download OpenEMR 5.0.2 or later from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify file permissions and ownership. 5. Test application functionality.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file type validation and whitelist allowed extensions

Modify /controller.php to validate file extensions before processing

Web Application Firewall Rules

all

Block PHP file uploads to /controller.php endpoint

Add WAF rule: deny requests to /controller.php with file uploads containing .php extensions

🧯 If You Can't Patch

Implement strict file upload validation in application code
Restrict web server permissions to prevent PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check if OpenEMR version is 5.0.1 or earlier and review /controller.php for proper file upload validation

Check Version:

Check OpenEMR version in interface or review version.php file

Verify Fix Applied:

Verify OpenEMR version is 5.0.2 or later and test file upload functionality with PHP files

📡 Detection & Monitoring

Log Indicators:

File upload attempts to /controller.php with .php extensions
Unusual file creation in upload directories
POST requests to /controller.php with file parameters

Network Indicators:

HTTP POST requests to /controller.php with file uploads
Unusual outbound connections from web server

SIEM Query:

source="web_server" AND (uri="/controller.php" AND method="POST" AND file_upload="true")

📊 Metadata

CVE ID: CVE-2020-19364

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: January 20, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/EmreOvunc/OpenEMR_Vulnerabilities Exploit,Third Party Advisory
https://github.com/EmreOvunc/OpenEMR_Vulnerabilities Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19364, you might also want to check these: