OpenMRS Cross-Site Request Forgery Vulnerability Allowing Privilege Escalation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in OpenMRS version 2.4.3 Build 0ff0ed. This vulnerability allows attackers to perform arbitrary actions by sending a crafted request to the /admin/users/user.form endpoint. Exploiting this vulnerability could enable an attacker to elevate a low-privileged user's account to an administrative role.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a low-privileged user to gain administrative rights.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges and navigate to the Admin Users section. Observe that the user has the role of 'anonymous'. Then, execute the crafted CSRF proof of concept (PoC) within the Admin users browser. This PoC submits a form that includes the low-privileged user's details and requests a role change to 'System Developer'. After submitting the form, the low-privileged user will be elevated to an Admin role. Note that signing in and out as the low-privileged user is necessary for the changes to take effect.