Filtered by vendor Openmrs
Subscriptions
Total
25 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-16521 | 1 Openmrs | 2 Html Form Entry, Reference Application | 2024-09-16 | N/A |
| An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0. | ||||
| CVE-2017-7990 | 1 Openmrs | 1 Openmrs Module Reporting | 2024-09-16 | N/A |
| The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp. | ||||
| CVE-2014-8071 | 1 Openmrs | 1 Openmrs | 2024-08-06 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to allergyui/allergy.page; the (6) w10 parameter to htmlformentryui/htmlform/enterHtmlForm/submit.action; the (7) HTTP Referer Header to login.htm; the (8) returnUrl parameter to htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page or (9) coreapps/mergeVisits.page; or the (10) visitId parameter to htmlformentryui/htmlform/enterHtmlFormWithSimpleUi.page. | ||||
| CVE-2014-8073 | 1 Openmrs | 1 Openmrs | 2024-08-06 | N/A |
| Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standalone Edition allows remote attackers to hijack the authentication of administrators for requests that add a new user via a Save User action to admin/users/user.form. | ||||
| CVE-2014-8072 | 1 Openmrs | 1 Openmrs | 2024-08-06 | N/A |
| The administration module in OpenMRS 2.1 Standalone Edition allows remote authenticated users to obtain read access via a direct request to /admin. | ||||
| CVE-2017-12795 | 1 Openmrs | 1 Openmrs-module-htmlformentry | 2024-08-05 | N/A |
| OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper Input Validation). | ||||
| CVE-2017-12796 | 1 Openmrs | 1 Openmrs | 2024-08-05 | N/A |
| The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request. | ||||
| CVE-2018-19276 | 1 Openmrs | 1 Openmrs | 2024-08-05 | 9.8 Critical |
| OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body. | ||||
| CVE-2020-36635 | 1 Openmrs | 1 Appointment Scheduling Module | 2024-08-04 | 3.5 Low |
| A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x. It has been classified as problematic. This affects the function validateFieldName of the file api/src/main/java/org/openmrs/module/appointmentscheduling/validator/AppointmentTypeValidator.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.13.0 is able to address this issue. The name of the patch is 34213c3f6ea22df427573076fb62744694f601d8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216915. | ||||
| CVE-2020-36636 | 1 Openmrs | 1 Admin Ui Module | 2024-08-04 | 3.5 Low |
| A vulnerability classified as problematic has been found in OpenMRS Admin UI Module up to 1.4.x. Affected is the function sendErrorMessage of the file omod/src/main/java/org/openmrs/module/adminui/page/controller/systemadmin/accounts/AccountPageController.java of the component Account Setup Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 702fbfdac7c4418f23bb5f6452482b4a88020061. It is recommended to upgrade the affected component. VDB-216918 is the identifier assigned to this vulnerability. | ||||
| CVE-2020-24621 | 1 Openmrs | 1 Htmlformentry | 2024-08-04 | 8.8 High |
| A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed. | ||||
| CVE-2020-5731 | 1 Openmrs | 1 Openmrs | 2024-08-04 | 6.1 Medium |
| In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page is vulnerable to cross-site scripting. | ||||
| CVE-2020-5733 | 1 Openmrs | 1 Openmrs | 2024-08-04 | 6.1 Medium |
| In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows the export of potentially sensitive information. | ||||
| CVE-2020-5732 | 1 Openmrs | 1 Openmrs | 2024-08-04 | 6.1 Medium |
| In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows unauthenticated users to use a feature typically restricted to administrators. | ||||
| CVE-2020-5728 | 1 Openmrs | 1 Openmrs | 2024-08-04 | 6.1 Medium |
| OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting. | ||||
| CVE-2020-5730 | 1 Openmrs | 1 Openmrs | 2024-08-04 | 6.1 Medium |
| In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting. | ||||
| CVE-2020-5729 | 1 Openmrs | 1 Openmrs | 2024-08-04 | 6.1 Medium |
| In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue. | ||||
| CVE-2021-43094 | 1 Openmrs | 2 Openmrs, Reference Application | 2024-08-04 | 9.8 Critical |
| An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page. | ||||
| CVE-2021-4292 | 1 Openmrs | 1 Admin Ui Module | 2024-08-03 | 3.5 Low |
| A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/metadata/privileges/privilege.gsp of the component Manage Privilege Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 4f8565425b7c74128dec9ca46dfbb9a3c1c24911. It is recommended to upgrade the affected component. The identifier VDB-216917 was assigned to this vulnerability. | ||||
| CVE-2021-4291 | 1 Openmrs | 1 Admin Ui Module | 2024-08-03 | 3.5 Low |
| A vulnerability was found in OpenMRS Admin UI Module up to 1.5.x. It has been declared as problematic. This vulnerability affects unknown code of the file omod/src/main/webapp/pages/metadata/locations/location.gsp. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.6.0 is able to address this issue. The name of the patch is a7eefb5f69f6c50a3bffcb138bb8ea57cb41a9b6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216916. | ||||