During an internship at NitroTeam.kz, my students found several vulnerabilities in LibreHealth: Broken Access Control (CVE-2022-31496), Cross-Site Scripting (CVE-2022-31492, CVE-2022-31493, CVE-2022-31494, CVE-2022-31495, CVE-2022-31497, CVE-2022-31498).
I have found several vulnerabilities in open-source system LibreHealth EHR 2.0.0. More precisely 1 SQL-injection (CVE-2022-29938) and 2 Cross-site scripting (XSS) (CVE-2022-29939, CVE-2022-29940) vulnerabilities.
I spoke at conference Kolesa Conf’21 several days ago with topic “Hacking up-to-date Wordpress”. Presentation shows that cross-site scripting (XSS) almost always will lead to client-side request forgery, and most times to remote code execution (RCE) even in the case with freshest Wordpress.