Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3935

Stored XSS via Custom Form Fields

          Details

          • Complexity:
            Medium

            Description

            When editing forms in OpenMRS, information about the form and fields (names and descriptions) are not escaped, allowing XSS attacks.

            credit: Lauren

            At this URL (as of 1.9.x): /openmrs/admin/forms/formEdit.form

              Gliffy Diagrams

                Attachments

                  Attachments-Category-Modification

                    Activity

                      People

                      • Assignee:
                        sharonvarghese Sharon Varghese
                        Reporter:
                        burke Burke Mamlin
                        Watchers:
                        Burke Mamlin, Chris Niesel, Daniel Kayiwa, Darius Jazayeri, Lluis Martinez, Sharon Varghese
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        6 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved:

                          Time Tracking

                          Estimated:
                          Original Estimate - 4 hours
                          4h
                          Remaining:
                          Time Spent - 2 hours Remaining Estimate - 2 hours
                          2h
                          Logged:
                          Time Spent - 2 hours Remaining Estimate - 2 hours
                          2h