Details

    • Type: Technical task
    • Status: Accepted
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Undetermined

      Description

      The patient creation flow is allowed to store XSS. The vulnerable fields 'given name' and 'family name' were fixed in 1.11.x release. But there is stil vulnerable field 'Address' which allow to store javascript code.
      I have attached demo of exploitation of the vulnerability.

        Attachments

        1. 1.png
          1.png
          127 kB
        2. 2.png
          2.png
          125 kB
        3. 3.png
          3.png
          132 kB
        4. 4.png
          4.png
          97 kB

          Issue Links

            Activity

              People

              Assignee:
              dkayiwa Daniel Kayiwa
              Reporter:
              approce Roman Zayats
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: