CVE-2021-25923
First published: Thu Jun 24 2021(Updated: )
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Open-emr Openemr | >=5.0.0<=6.0.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-25923?
CVE-2021-25923 is a vulnerability in OpenEMR versions 5.0.0 to 6.0.0.1 that allows for weak password requirements and can lead to an account takeover.
How does CVE-2021-25923 work?
CVE-2021-25923 allows a malicious user who knows the first 72 characters of a victim user's password to leverage it for an account takeover.
What is the severity of CVE-2021-25923?
CVE-2021-25923 has a severity rating of 8.1 (high).
Which software versions are affected by CVE-2021-25923?
OpenEMR versions 5.0.0 to 6.0.0.1 are affected by CVE-2021-25923.
Is there a fix for CVE-2021-25923?
There is no specific fix mentioned, but it is recommended to enforce a maximum password length limit to mitigate this vulnerability.
- collector/nvd-index
- vendor/open-emr
- canonical/open-emr openemr
- version/open-emr openemr/5.0.0
- version/open-emr openemr/6.0.0.1