Cyber Resilience

CVE-2023-22973

HighPublic PoC

Published: 22 February 2023

Published
22 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0073 73.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22973 is a high-severity Path Traversal (CWE-22) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 27.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-22973 is a local file inclusion vulnerability in the interface/forms/LBF/new.php component of OpenEMR versions prior to 7.0.0. The flaw is triggered through the formname parameter and is tracked under CWE-22, carrying a CVSS 3.1 score of 8.8.

Remote authenticated users can supply a crafted formname value to include and execute arbitrary local files, resulting in remote code execution on the underlying server.

Official OpenEMR patch notes for the 7.0.0 release address the issue, and independent analysis from SonarSource confirms the path to code execution and the availability of the fix.

EPSS for the CVE rose from a low baseline to a peak of 0.0542 on 2025-01-22 before receding to the current value of 0.0073, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to execute code via the formname parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

open-emr
openemr
≤ 7.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References