PT-2017-18052 · Openmrs · Openmrs Reporting Module

Published

2017-04-21

Updated

2017-04-26

CVE-2017-7990

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenMRS Reporting Module version 1.12.0

Description The issue allows for CSRF attacks with resultant XSS, where administrative authentication can be hijacked to insert JavaScript into a name field in the "webapp/reports/manageReports.jsp" endpoint. This can lead to unauthorized access and malicious actions.

Recommendations For OpenMRS Reporting Module version 1.12.0, consider disabling access to the "webapp/reports/manageReports.jsp" endpoint until a patch is available to prevent CSRF and XSS attacks. Restrict administrative authentication to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-7990

Affected Products

Openmrs Reporting Module

PT-2017-18052 · Openmrs · Openmrs Reporting Module

CVE-2017-7990

Weakness Enumeration

Related Identifiers

Affected Products

References · 4