CVE-2025-32967
May 23, 2025, 4:15 p.m.
5.4
Medium
Description
OpenEMR is a free and open source electronic health records and medical practice management application. A logging oversight in versions prior to 7.0.3.4 allows password change events to go unrecorded on the client-side log viewer, preventing administrators from auditing critical actions. This weakens traceability and opens the system to undetectable misuse by insiders or attackers. Version 7.0.3.4 contains a patch for the issue.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Openemr |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-778
Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | openemr | openemr | <7.0.3.4 | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Timeline
Published: May 23, 2025, 4:15 p.m.
Last Modified: May 23, 2025, 4:15 p.m.
Last Modified: May 23, 2025, 4:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security-advisories@github.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.