Primary

Context

OpenMRS Reflected Cross-Site Scripting Vulnerability in Quick Report Servlet

Vulnerability

A reflected cross-site scripting vulnerability has been identified in OpenMRS version 2.4.3 Build 0ff0ed. The issue arises in the /legacyui/quickReportServlet component, where attackers can execute arbitrary JavaScript in the context of the user's browser. This is achieved by injecting a crafted payload into the reportType parameter.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, authenticate as a user with access to view quick reports, such as an admin. Then, navigate to the quick report servlet endpoint and inject a script payload into the reportType parameter. The injected script will be executed, demonstrating the cross-site scripting vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenMRS Reflected Cross-Site Scripting Vulnerability in Quick Report Servlet

Vulnerability

Impact

Reproduction

Affected Products

OpenMRS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating