{"api_version":"1","generated_at":"2026-05-30T08:06:00+00:00","cve":"CVE-2023-54347","urls":{"html":"https://cve.report/CVE-2023-54347","api":"https://cve.report/api/cve/CVE-2023-54347.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-54347","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-54347"},"summary":{"title":"OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass","description":"OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions.","state":"PUBLISHED","assigner":"VulnCheck","published_at":"2026-05-05 12:16:17","updated_at":"2026-05-05 20:00:28"},"problem_types":["CWE-307","CWE-307 Improper Restriction of Excessive Authentication Attempts"],"metrics":[{"version":"4.0","source":"disclosure@vulncheck.com","type":"Secondary","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"}},{"version":"3.1","source":"disclosure@vulncheck.com","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz","name":"https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz","refsource":"disclosure@vulncheck.com","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.open-emr.org/","name":"https://www.open-emr.org/","refsource":"disclosure@vulncheck.com","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vulncheck.com/advisories/openemr-authentication-brute-force-mitigation-bypass","name":"https://www.vulncheck.com/advisories/openemr-authentication-brute-force-mitigation-bypass","refsource":"disclosure@vulncheck.com","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/51413","name":"https://www.exploit-db.com/exploits/51413","refsource":"disclosure@vulncheck.com","tags":["Exploit","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-54347","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54347","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Open-Emr","product":"OpenEMR","version":"affected 7.0.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"abhhi (Abhishek Birdawade)","lang":"en"}],"nvd_cpes":[{"cve_year":"2023","cve_id":"54347","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"open-emr","cpe5":"openemr","cpe6":"7.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2023","cve_id":"54347","cve":"CVE-2023-54347","epss":"0.001480000","percentile":"0.347690000","score_date":"2026-05-05","updated_at":"2026-05-06 00:08:09"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"OpenEMR","vendor":"Open-Emr","versions":[{"status":"affected","version":"7.0.1"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.1:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.4:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:8.0.0:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.3:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.3.1:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.3.0:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.2.1:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.2.2:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.2.3:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.3.2:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.3.3:*:*:*:*:*:*:*","vulnerable":true},{"criteria":"cpe:2.3:a:open-emr:openemr:7.0.3.4:*:*:*:*:*:*:*","vulnerable":true}],"negate":false,"operator":"OR"}]}],"credits":[{"lang":"en","type":"finder","value":"abhhi (Abhishek Birdawade)"}],"datePublic":"2023-04-28T00:00:00.000Z","descriptions":[{"lang":"en","value":"OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-307","description":"Improper Restriction of Excessive Authentication Attempts","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-05T11:24:50.970Z","orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck"},"references":[{"name":"ExploitDB-51413","tags":["exploit"],"url":"https://www.exploit-db.com/exploits/51413"},{"name":"Official Product Homepage","tags":["product"],"url":"https://www.open-emr.org/"},{"name":"Product Reference","tags":["product"],"url":"https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz"},{"name":"VulnCheck Advisory: OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/openemr-authentication-brute-force-mitigation-bypass"}],"title":"OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass","x_generator":{"engine":"vulncheck"}}},"cveMetadata":{"assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","assignerShortName":"VulnCheck","cveId":"CVE-2023-54347","datePublished":"2026-05-05T11:24:50.970Z","dateReserved":"2026-01-10T01:51:52.985Z","dateUpdated":"2026-05-05T11:24:50.970Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 12:16:17","lastModifiedDate":"2026-05-05 20:00:28","problem_types":["CWE-307","CWE-307 Improper Restriction of Excessive Authentication Attempts"],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:open-emr:openemr:7.0.1:*:*:*:*:*:*:*","matchCriteriaId":"49234EA5-1593-40E1-93AF-A71F05056639"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2023","CveId":"54347","Ordinal":"1","Title":"OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass","CVE":"CVE-2023-54347","Year":"2023"},"notes":[{"CveYear":"2023","CveId":"54347","Ordinal":"1","NoteData":"OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions.","Type":"Description","Title":"OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass"}]}}}