The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.
Arbitrary file upload vulnerability allowing any user who can set profile pictures to be able to execute code on the hosting system. In lh-ehr, an attacker must be authenticated, and have sufficient privileges to upload a user profile picture (either for a user, or a patient) to perform this attack. It appears any valid user can perform this.
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
SQL Injections are vulnerabilities in which the developer overly trusts user controlled input. This allows an attacker to perform malicious queries upon the database, which can lead to compromise of all data within the database and question the integrity of the data.
An attacker must be authenticated to perform this attack.
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Unrestricted file write vulnerabilities allow attackers to write file such as PHP files, in locations where the web server user has access to write. This may allow an attacker to write files with malicious content and may lead to remote code execution.
An attacker must be authenticated to perform this attack.