Multiple vulnerabilities in LibreHealth EHR 2.0.0

I have found several vulnerabilities in open-source system LibreHealth EHR 2.0.0. More precisely 1 SQL-injection (CVE-2022-29938) and 2 Cross-site scripting (XSS) (CVE-2022-29939, CVE-2022-29940) vulnerabilities.

All these vulnerabilities requires authentication. There is no patch, so these are zero-day vulnerabilities 🙂 But you can find temporary workaround on the end of this paper.

1. SQL-injection via parameter payment_id (CVE-2022-29938)

Lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\ leads to SQL injection.

Vulnerable code is in file \librehealth_host\interface\billing\

    $rs= sqlStatement("select pay_total,global_amount from ar_session where session_id='$payment_id'");

And the request parameter is catched in file \librehealth_host\interface\billing\new_payment.php:49

$payment_id              = isset($_REQUEST['payment_id'])          ? $_REQUEST['payment_id']          : '';



2. Cross-Site Scripting (XSS) (CVE-2022-29939)

Lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.

Vulnerable code is in file \librehealth_host\interface\billing\sl_eob_process.php:592

<input type="hidden" name="debug" value="<?php echo $_REQUEST['debug'];?>" />
<input type="hidden" name="InsId" value="<?php echo $_REQUEST['InsId'];?>" />



3. Cross-Site Scripting (XSS) (CVE-2022-29940)

Lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

Vulnerable code is in file \librehealth_host\interface\orders\find_order_popup.php:91

function selcode(typeid) {
 location.href = 'find_order_popup.php<?php
echo "?order=$order&labid=$labid";
if (isset($_GET['formid' ])) echo '&formid='  . $_GET['formid'];
if (isset($_GET['formseq'])) echo '&formseq=' . $_GET['formseq'];
?>&typeid=' + typeid;
 return false;



Timeline of the vulnerabilities:

04/27/2022 – initial discover and requesting CVE id’s from MITRE
04/29/2022 – MITRE was assigned CVE id’s
05/01/2022 – notification to vendor
05/04/2022 – vendor confirmed and allowed to publish write-up (because the project is now in migration process to Laravel, where I think default filters of framework will cut off a lot of vulnerabilities)
05/04/2022 – published


There is no patch for this vulnerabilities because of migration to more stable framework. But as temporary workaround I advice you to add htmlspecialchars() before every echo function to fix XSS, and pass the $payment_id through add_escape_custom() function before execution SQL query to fix SQL-injection.

P.S. Special thanks to Robert O’Connor from LibreHealth team for quick responses.

Leave a comment

Your email address will not be published.