Uploaded image for project: 'Reference Application'
  1. Reference Application
  2. RA-452 XSS vulnerabilities in Ref App 2.x
  3. RA-1259

Stored XSS in name and description fields in reports

    XMLWordPrintable

    Details

    • Complexity:
      Undetermined

      Description

      Report names and descriptions are not sanitized, leading to several XSS vulnerabilities in the reporting module.

      Example:
      An attacker could inject javascript in the form at this URL:
      http://localhost/openmrs/module/reporting/reports/periodIndicatorReport.form

      The injected javascript would then be executed on the following pages:
      http://localhost/openmrs/module/reporting/reports/manageReports.form
      http://localhost/openmrs/module/reporting/dashboard/index.form
      ...and possibly others

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              dkayiwa Daniel Kayiwa
              Reporter:
              isears Isaac Sears
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: