[RA-1318] Stored XSS in Diagnoses section of patient.page - OpenMRS Issues

XML

Word

Printable

Details

Type: Technical task
Status: Approved
Priority: Must
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Reference Application 2.7.0
Component/s: Reference Application
Labels:
- community-priority
- intro
- security
- xss

Complexity:
Low
Sprint:
Ref App 2.11 Release Sprint 3, Ref App 2.12 Priorities

Description

This xss bug can be exploited when a user clicks on the "Visit Note" link on a patient's page and creates a note with diagnosis: Non-coded <script>alert('xss');</script>.

The injected JS will be executed back on the patient's page in the diagnosis section.

Gliffy Diagrams

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screen Shot 2017-03-05 at 1.13.28 PM.png
1.29 MB
2017-03-05 13:14:23 GMT

Activity

People

Assignee:: Daniel Kayiwa

Reporter:: Isaac Sears

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2017-03-05 13:14:23 GMT

Updated:: 2021-02-25 14:32:30 GMT

Resolved:: 2017-10-16 03:20:23 GMT