Описание
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.
Ссылки
- Exploit
- Vendor Advisory
- Release NotesVendor Advisory
- Exploit
- Vendor Advisory
- Release NotesVendor Advisory
Уязвимые конфигурации
EPSS
9.8 Critical
CVSS3
10 Critical
CVSS2
Дефекты
Связанные уязвимости
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.
Уязвимость модуля Reporting Compatibility Add On программного средства для работы с медицинскими записями OpenMRS Reference Application, позволяющая нарушителю выполнить произвольный код
EPSS
9.8 Critical
CVSS3
10 Critical
CVSS2