Details

    • Type: Technical task
    • Status: Approved
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Undetermined
    • Sprint:
      Ref App 2.11 Release Sprint 3, Ref App 2.12 Priorities

      Description

      The patient creation flow is allowed to store XSS. The vulnerable fields 'given name' and 'family name' were fixed in 1.11.x release. But there is stil vulnerable field 'Address' which allow to store javascript code.
      I have attached demo of exploitation of the vulnerability.

        Gliffy Diagrams

          Attachments

          1. 1.png
            1.png
            127 kB
          2. 2.png
            2.png
            125 kB
          3. 3.png
            3.png
            132 kB
          4. 4.png
            4.png
            97 kB

            Issue Links

              Activity

                People

                Assignee:
                dkayiwa Daniel Kayiwa
                Reporter:
                approce Roman Zayats
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: