Details
-
Technical task
-
Status: Approved
-
TBD
-
Resolution: Fixed
-
None
-
None
-
Undetermined
-
Ref App 2.11 Release Sprint 3, Ref App 2.12 Priorities
Description
Steps to reproduce vulnerability:
1.) From the main page, click on "Appointment Scheduling"
2.) click "Manage Service Types"
- At this point user should be on a page that lists service types with a URL similar to (depending on the location of your openmrs installation):
http://192.168.0.15:8080/openmrs/appointmentschedulingui/manageAppointmentTypes.page
3.) click "New Service Type"
4.) set the name of the new service type to the following string:
" onmouseover="alert('xss')"
5.) set the duration and description to any normal value
6.) click "Save"
- User should be redirected to the "Manage Service Types" page that displays all service types in tabular format
7.) on the next page, hover mouse over the edit button associated with the new service type in the service type (an xss alert popup should be triggered - see attachment)