Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3935

Stored XSS via Custom Form Fields

    XMLWordPrintable

    Details

      Description

      When editing forms in OpenMRS, information about the form and fields (names and descriptions) are not escaped, allowing XSS attacks.

      credit: Lauren

      At this URL (as of 1.9.x): /openmrs/admin/forms/formEdit.form

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              sharonvarghese Sharon Varghese
              Reporter:
              burke Burke Mamlin
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Time Spent - 2 hours Remaining Estimate - 2 hours
                  2h
                  Logged:
                  Time Spent - 2 hours Remaining Estimate - 2 hours
                  2h