Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Multiple stored XSS via Dimension Name and Descriptions

Description

This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

Pages:

  • module/reporting/indicators/editCohortDefinitionDimension.form

  • module/reporting/parameters/queryParameter.form

  • module/reporting/indicators/manageDimensions.form (executes previously injected Dimension Name scripts)

  • reporting/indicators/editCohortDefinitionDimension: name and description parameters. XSS

Expected behavior: Wherever a dimension name is outputted to the screen, it should be escaped (XML-escaped or JS-escaped, as relevant)

Observed behavior: If you put a <script> tag in the dimension name, the script will be executed on several pages.

(Surely this same vulnerability exists in other screens in the reporting module, so while doing this ticket, it would be nice to also fix screens related to other reporting definitions. Alternately, look at the screens for other definition types, and create a similar ticket for any vulnerabilities found.)

Activity

Show:

Ian Bacher December 3, 2021 at 5:59 PM

Sharif Magembe October 26, 2021 at 1:55 PM

cc Requesting for your reviews.Thanks.

isaac lin September 7, 2019 at 5:59 AM
Edited

This is my PR.

https://github.com/openmrs/openmrs-module-reporting/pull/180

If someone gives me some advice, I will appreciate of it.

 

Denis Wokanya February 12, 2017 at 5:26 AM

I will use this ticket for openmrs university

Denis Wokanya February 12, 2017 at 5:24 AM

I will use this ticket for openmrs university

Fixed

Details

Assignee

Reporter

Labels

Complexity

Low

Designated Committer

Original estimate

Time tracking

4h logged

Fix versions

Affects versions

Priority

Created March 21, 2013 at 10:49 AM
Updated April 5, 2022 at 7:50 PM
Resolved April 5, 2022 at 7:50 PM