CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
A reflected cross-site scripting (XSS) vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter.
AnalysisAI
OpenMRS version 2.4.3 contains a reflected XSS vulnerability in its legacy UI quick report feature that allows attackers to inject malicious JavaScript code through the reportType parameter. Users accessing crafted malicious links to the vulnerable /legacyui/quickReportServlet endpoint are affected. An attacker could execute arbitrary JavaScript in a victim's browser to steal session cookies, capture credentials, or perform actions on behalf of the user within the OpenMRS system.
Technical ContextAI
This vulnerability (CWE-79: Cross-site Scripting (XSS)) exists in the the component. A reflected cross-site scripting (XSS) vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter.
Affected ProductsAI
Product: component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed. Component: the.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Share
External POC / Exploit Code
Leaving vuln.today