[REPORT-492] Multiple stored XSS via Dimension Name and Descriptions - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Could
Resolution: Fixed
Affects Version/s: Reporting 0.7.5
Fix Version/s: 1.24.0
Component/s: None
Labels:

Complexity:
Low
Development:

Under Review1 build succeeded

Description

This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

Pages:

module/reporting/indicators/editCohortDefinitionDimension.form
module/reporting/parameters/queryParameter.form
module/reporting/indicators/manageDimensions.form (executes previously injected Dimension Name scripts)
reporting/indicators/editCohortDefinitionDimension: name and description parameters. XSS

Expected behavior: Wherever a dimension name is outputted to the screen, it should be escaped (XML-escaped or JS-escaped, as relevant)
Observed behavior: If you put a <script> tag in the dimension name, the script will be executed on several pages.

(Surely this same vulnerability exists in other screens in the reporting module, so while doing this ticket, it would be nice to also fix screens related to other reporting definitions. Alternately, look at the screens for other definition types, and create a similar ticket for any vulnerabilities found.)

Gliffy Diagrams

Attachments

Activity

People

Assignee:: isaac lin

Reporter:: Darius Jazayeri

Designated Committer:: Ian Bacher

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2013-03-21 10:49:31 GMT

Updated:: 2022-04-05 19:50:54 GMT

Resolved:: 2022-04-05 19:50:54 GMT

Time Tracking

Estimated:

Remaining:

Logged: