Details

    • Type: Technical task
    • Status: Accepted
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Undetermined

      Description

      The patient creation flow is allowed to store XSS. The vulnerable fields 'given name' and 'family name' were fixed in 1.11.x release. But there is stil vulnerable field 'Address' which allow to store javascript code.
      I have attached demo of exploitation of the vulnerability.

        Attachments

        1. 1.png
          1.png
          127 kB
        2. 2.png
          2.png
          125 kB
        3. 3.png
          3.png
          132 kB
        4. 4.png
          4.png
          97 kB

          Issue Links

            Activity

              People

              • Assignee:
                dkayiwa Daniel Kayiwa
                Reporter:
                approce Roman Zayats
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: