CVE-2023-22973
Published: 22 February 2023
Summary
CVE-2023-22973 is a high-severity Path Traversal (CWE-22) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 27.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-22973 is a local file inclusion vulnerability in the interface/forms/LBF/new.php component of OpenEMR versions prior to 7.0.0. The flaw is triggered through the formname parameter and is tracked under CWE-22, carrying a CVSS 3.1 score of 8.8.
Remote authenticated users can supply a crafted formname value to include and execute arbitrary local files, resulting in remote code execution on the underlying server.
Official OpenEMR patch notes for the 7.0.0 release address the issue, and independent analysis from SonarSource confirms the path to code execution and the availability of the fix.
EPSS for the CVE rose from a low baseline to a peak of 0.0542 on 2025-01-22 before receding to the current value of 0.0073, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-27073
Vulnerability details
A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to execute code via the formname parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.