CVE-2025-25929

Name of the Vulnerable Software and Affected Versions: Openmrs version 2.4.3 Build 0ff0ed

Description: A reflected cross-site scripting (XSS) issue exists in the /legacyui/quickReportServlet component, allowing attackers to execute arbitrary JavaScript in the context of a user's browser. This is achieved by injecting a crafted payload into the reportType parameter.

Recommendations: For Openmrs version 2.4.3 Build 0ff0ed, as a temporary workaround, consider restricting access to the /legacyui/quickReportServlet component until a patch is available. Avoid using the reportType parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.