You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ASVS: 7.1.1 (Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form).
CWE: 532 (Insertion of Sensitive Information into Log File).
The OpenEMR logs check number(sensitive payment detail) when a new "Batch Payment Entry" is made, under the Category ="other" and Event ="other-insert".
To Reproduce
Steps to reproduce the behavior:
Login to OpenEMR using the admin credentials
Navigate to Fees → Batch payments to make a “Batch Payment Entry”
Put the “Date” as the previous date, “Post to date” as current date, “Payment Method” as Check Payment, “Check number” as “123456789”, “Payment Amount” as 100.
Use the default default values for “Paying entity” and “Payment category”
Put the “Payment From” as a user in the system, and click on the “Save changes” button.
Click “OK” on the confirmation and allocation pop-ups.
Navigate to Admin → System → Logs and click on Submit to view the logs.
Check for the log under Category = “other” and Event = “other-insert”.
Expected behavior
The “check number” and other payment details should not be displayed(or masked) in the log
Client configuration
Browser: Version 122.0.6261.129 (Official Build) (arm64)
OpenEMR version: v7.0.2
Operating system: MacOS
The text was updated successfully, but these errors were encountered:
adunsulag
changed the title
Bug: OpenEMR logs sensitive information such as payment details
bug: OpenEMR logs sensitive field - payment reference number
May 20, 2024
Describe the bug
ASVS: 7.1.1 (Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form).
CWE: 532 (Insertion of Sensitive Information into Log File).
The OpenEMR logs check number(sensitive payment detail) when a new "Batch Payment Entry" is made, under the Category ="other" and Event ="other-insert".
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The “check number” and other payment details should not be displayed(or masked) in the log
Client configuration
The text was updated successfully, but these errors were encountered: