Headline
CVE-2023-2944: bug fix (#6267) · openemr/openemr@723ac5d
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
Expand Up
@@ -17,8 +17,14 @@
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('admin’, ‘practice’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Address Book”)]);
exit;
}
if (!empty($_POST)) {
if (!CsrfUtils::verifyCsrfToken($_POST[“csrf_token_form”])) {
CsrfUtils::csrfNotVerified();
Expand Down Expand Up
@@ -467,7 +473,7 @@ function typeSelect(a) {
<label for="form_state" class="font-weight-bold col-form-label col-form-label-sm"><?php echo xlt(‘State’) . “/” . xlt(‘county’); ?>:</label>
</div>
<div class="col">
<?php echo generate_select_list('form_state’, 'state’, ($row[‘state’] ?? null), '’, 'Unassigned’, 'form-control-sm’, 'typeSelect(this.value)'); ?>
<?php echo generate_select_list('form_state’, 'state’, ($row[‘state’] ?? null), '’, 'Unassigned’, 'form-control-sm’, 'typeSelect(this.value)'); ?>
</div>
<div class="col-2">
<label for="form_zip" class="font-weight-bold col-form-label col-form-label-sm"><?php echo xlt(‘Postal code’); ?>:</label>
Expand Down Expand Up
@@ -498,7 +504,7 @@ function typeSelect(a) {
<label for="form_state2" class="font-weight-bold col-form-label col-form-label-sm"><?php echo xlt(‘Alt State’) . “/” . xlt(‘county’); ?>:</label>
</div>
<div class="col-auto">
<?php echo generate_select_list('form_state2’, 'state’, ($row[‘state2’] ?? null), '’, 'Unassigned’, 'form-control-sm’, 'typeSelect(this.value)'); ?>
<?php echo generate_select_list('form_state2’, 'state’, ($row[‘state2’] ?? null), '’, 'Unassigned’, 'form-control-sm’, 'typeSelect(this.value)'); ?>
</div>
<div class="col-auto">
<label for="form_zip2" class="font-weight-bold col-form-label col-form-label-sm"><?php echo xlt(‘Alt Postal code’); ?>:</label>
Expand Down