CVE-2022-4727

Name of the Vulnerable Software and Affected Versions OpenMRS Appointment Scheduling Module versions up to 1.16.x

Description A vulnerability was found in the OpenMRS Appointment Scheduling Module, affecting the function getNotes of the file api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java of the component Notes Handler. The manipulation of the argument notes leads to cross-site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.17.0 is able to address this issue.

Recommendations For OpenMRS Appointment Scheduling Module versions up to 1.16.x, upgrade to version 1.17.0 to address the issue. As a temporary workaround, consider restricting access to the getNotes function of the Notes Handler component until the upgrade is applied. Avoid using the notes argument in the affected component until the issue is resolved.