Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3937

Stored XSS in Location Pages

    XMLWordPrintable

    Details

    • Complexity:
      Medium

      Description

      It's possible to put inject some Javascrip into forms on the location pages:

      To reproduce:

      1. Goto admin/locations/location.form and create new location (<script>alert(1)</script> as name).
      2. Load this form, script is ran from Parent Location dropdown box.
      admin/locations/locationTag.list - name, desc parameters
      admin/locations/hierarchy.list - previously stored location name parameter.

      Originally reported by Kevin Jacobs

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              pmuchowski PaweĊ‚ Muchowski
              Reporter:
              sgithens Steven Githens
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 5 hours
                  2d 5h