Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3935

Stored XSS via Custom Form Fields

    XMLWordPrintable

Details

    Description

      When editing forms in OpenMRS, information about the form and fields (names and descriptions) are not escaped, allowing XSS attacks.

      credit: Lauren

      At this URL (as of 1.9.x): /openmrs/admin/forms/formEdit.form

      Gliffy Diagrams

        Attachments

          Activity

            People

              sharonvarghese Sharon Varghese
              burke Burke Mamlin
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Time Spent - 2 hours Remaining Estimate - 2 hours
                  2h
                  Logged:
                  Time Spent - 2 hours Remaining Estimate - 2 hours
                  2h