{"id":"CVE-2019-16404","details":"Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.","modified":"2026-03-14T09:33:19.697402Z","published":"2019-10-21T23:15:12.107Z","references":[{"type":"EVIDENCE","url":"https://github.com/lodestone-security/CVEs/blob/master/CVE-2019-16404/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openemr/openemr","events":[{"introduced":"8410e4c144d72b476cd530c5bb8d4e5db2f0a255"},{"last_affected":"35a67d11567419866d8aa9de0ae355676eeebede"}],"database_specific":{"versions":[{"introduced":"5.0.1"},{"last_affected":"5.0.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16404.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}