CVE-2021-4289

Name of the Vulnerable Software and Affected Versions OpenMRS openmrs-module-referenceapplication versions up to 2.11.x

Description A vulnerability was found in the function post of the file omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/UserAppPageController.java of the component User App Page. The manipulation of the argument AppId leads to cross-site scripting. The attack can be launched remotely. Upgrading to version 2.12.0 is able to address this issue.

Recommendations For OpenMRS openmrs-module-referenceapplication versions up to 2.11.x, upgrade to version 2.12.0 to address the issue. As a temporary workaround, consider restricting access to the UserAppPageController.java file or disabling the post function until the upgrade is applied. Avoid using the AppId argument in the affected component until the issue is resolved.