Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3937

Stored XSS in Location Pages

    XMLWordPrintable

    Details

    • Complexity:
      Medium

      Description

      It's possible to put inject some Javascrip into forms on the location pages:

      To reproduce:

      1. Goto admin/locations/location.form and create new location (<script>alert(1)</script> as name).
      2. Load this form, script is ran from Parent Location dropdown box.
      admin/locations/locationTag.list - name, desc parameters
      admin/locations/hierarchy.list - previously stored location name parameter.

      Originally reported by Kevin Jacobs

        Attachments

          Activity

            People

            Assignee:
            pmuchowski PaweĊ‚ Muchowski
            Reporter:
            sgithens Steven Githens
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 5 hours
                2d 5h