Ibacher

**Name of the Vulnerable Software and Affected Versions** OpenMRS versions prior to 2.1.5 OpenMRS versions prior to 2.2.1 OpenMRS versions prior to 2.3.5 OpenMRS versions prior to 2.4.5 OpenMRS versions prior to 2.5.3 **Description** The issue affects OpenMRS, a patient-based medical record system, due to a failure to sanitize requests for GET requests to `/images` and `/initfilter/scripts`. This allows an attacker to access any file on the system that is accessible to the user ID OpenMRS is running under. The vulnerability can be exploited through arbitrary file exfiltration. **Recommendations** For OpenMRS version prior to 2.1.5, update to version 2.1.5. For OpenMRS version prior to 2.2.1, update to version 2.2.1. For OpenMRS version prior to 2.3.5, update to version 2.3.5. For OpenMRS version prior to 2.4.5, update to version 2.4.5. For OpenMRS version prior to 2.5.3, update to version 2.5.3. As a temporary workaround, consider restricting access to the `/images` and `/initfilter/scripts` API endpoints until the issue is resolved. Users on older versions of Tomcat should consider upgrading their Tomcat instance to at least version 7.0.28 to mitigate the risk.