[RA-1266] Stored XSS in appointment types - OpenMRS Issues

XML

Word

Printable

Details

Type: Technical task
Status: Accepted
Priority: TBD
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Appointment Scheduling UI
Labels:
- security
- xss

Complexity:
Undetermined

Description

Steps to reproduce vulnerability:

1.) From the main page, click on "Appointment Scheduling"
2.) click "Manage Service Types"

At this point user should be on a page that lists service types with a URL similar to (depending on the location of your openmrs installation):
http://192.168.0.15:8080/openmrs/appointmentschedulingui/manageAppointmentTypes.page

3.) click "New Service Type"
4.) set the name of the new service type to the following string:

" onmouseover="alert('xss')"
5.) set the duration and description to any normal value
6.) click "Save"

User should be redirected to the "Manage Service Types" page that displays all service types in tabular format

7.) on the next page, hover mouse over the edit button associated with the new service type in the service type (an xss alert popup should be triggered - see attachment)

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Screen Shot 2016-12-31 at 1.31.58 PM.png
1.60 MB
2016-12-31 13:38:47 GMT

Activity

People

Assignee:: Daniel Kayiwa

Reporter:: Isaac Sears

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016-12-31 13:38:47 GMT

Updated:: 2017-02-12 15:52:35 GMT

Resolved:: 2017-02-12 15:52:35 GMT