| CVE-2020-5733 |
|
Medium |
Apr 17, 2020 |
In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user
more...
In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows the export of potentially sensitive information.
less...
|
2.4.7, 2.7.4, 2.7.3, 2.7.2, 2.6.15, 2.6.14, 2.7.1, 2.6.13, 2.5.14, 2.5.13
|
| CVE-2020-5732 |
|
Medium |
Apr 17, 2020 |
In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user a
more...
In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows unauthenticated users to use a feature typically restricted to administrators.
less...
|
2.4.7, 2.7.4, 2.7.3, 2.7.2, 2.6.15, 2.6.14, 2.7.1, 2.6.13, 2.5.14, 2.5.13
|
| CVE-2020-5731 |
|
Medium |
Apr 17, 2020 |
In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page is vulnerable to cross-site scripting.
In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page is vulnerable to cross-site scripting.
less...
|
2.4.7, 2.7.4, 2.7.3, 2.7.2, 2.6.15, 2.6.14, 2.7.1, 2.6.13, 2.5.14, 2.5.13
|
| CVE-2020-5730 |
|
Medium |
Apr 17, 2020 |
In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting.
In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting.
less...
|
2.4.7, 2.7.4, 2.7.3, 2.7.2, 2.6.15, 2.6.14, 2.7.1, 2.6.13, 2.5.14, 2.5.13
|
| CVE-2020-5729 |
|
Medium |
Apr 17, 2020 |
In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page th
more...
In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue.
less...
|
2.4.7, 2.7.4, 2.7.3, 2.7.2, 2.6.15, 2.6.14, 2.7.1, 2.6.13, 2.5.14, 2.5.13
|
| CVE-2020-5728 |
|
Medium |
Apr 17, 2020 |
OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insuf
more...
OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting.
less...
|
2.4.7, 2.7.4, 2.7.3, 2.7.2, 2.6.15, 2.6.14, 2.7.1, 2.6.13, 2.5.14, 2.5.13
|
| CVE-2017-12796 |
|
Critical |
Oct 23, 2017 |
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users
more...
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.
less...
|
2.4.7, 2.5.14, 2.5.13, 2.5.12, 2.3.6, 2.5.11, 2.5.10, 2.5.9, 2.5.8, 2.5.7
|
| BDSA-2025-2044 |
|
High |
Mar 12, 2025 |
OpenMRS is vulnerable to stored cross-site scripting (XSS) due to improper sanitization of the `personName.middleName` parameter in the `shortPatientFo
more...
OpenMRS is vulnerable to stored cross-site scripting (XSS) due to improper sanitization of the `personName.middleName` parameter in the `shortPatientForm.form` endpoint. This could allow an attacker to execute arbitrary web scripts or HTML, potentially leading to unauthorized actions or data exposure.
**Note: The authoring of this BDSA has been AI-assisted. The full technical details of the vulnerability have not been independently verified by the Black Duck Cybersecurity Research Center (CyRC).**
less...
|
|
| BDSA-2025-2043 |
|
Medium |
Mar 12, 2025 |
OpenMRS is vulnerable to cross-site request forgery (CSRF) due to insufficient validation of GET requests. This could allow an attacker to trick an aut
more...
OpenMRS is vulnerable to cross-site request forgery (CSRF) due to insufficient validation of GET requests. This could allow an attacker to trick an authenticated user into performing unintended actions, such as deleting user metadata packages.
**Note: The authoring of this BDSA has been AI-assisted. The full technical details of the vulnerability have not been independently verified by the Black Duck Cybersecurity Research Center (CyRC).**
less...
|
|
| BDSA-2025-2042 |
|
High |
Mar 12, 2025 |
OpenMRS is vulnerable to cross-site request forgery (CSRF) due to insufficient validation in the `/admin/users/user.form` endpoint. This could allow an
more...
OpenMRS is vulnerable to cross-site request forgery (CSRF) due to insufficient validation in the `/admin/users/user.form` endpoint. This could allow an attacker to execute arbitrary operations, such as elevating a low-privileged account to an administrative role.
**Note: The authoring of this BDSA has been AI-assisted. The full technical details of the vulnerability have not been independently verified by the Black Duck Cybersecurity Research Center (CyRC).**
less...
|
|
