Open Dental contains hard-coded credentials
Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016
Open Dental is a medical dental records management software. Open Dental contains hard-coded default credentials allowing administrative or root access to the patient database.
CWE-798: Use of Hard-coded Credentials – CVE-2016-6531
Open Dental contains a hard-coded default database credential.
An unauthenticated remote attacker with knowledge of the credentials may be able to obtain administrator access to the patient database.
A remote unauthenticated attacker with knowledge of the credential may be able to gain administrative access to the patient database.
Update MySQL database credentialsOpenDental makes use of a MySQL database backend.
The MySQL database credentials may be updated to prevent usage of the default credential.
For instructions on changing the password, please see http://www.opendental.com/manual/mysql.html.You may also consider the following workaround:
Restrict network accessUse a firewall or similar technology to restrict access to trusted hosts, networks, and services.
Vendor Information (Learn More)
16 Aug 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Thanks to Justin Shafer for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: CVE-2016-6531
Date Public: 06 Sep 2016
Date First Published: 06 Sep 2016
Date Last Updated: 06 Sep 2016
Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.