Critical severity9.8NVD Advisory· Published Oct 23, 2017· Updated May 13, 2026

CVE-2017-12796

Description

The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.

Affected products

Openmrs/Openmrs
cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*
Range: <2.6.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

isears.github.io/jekyll/update/2017/10/21/openmrs-rce.htmlnvdExploit
talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291nvdVendor Advisory
wiki.openmrs.org/display/RES/Release+Notes+2.6.1nvdRelease NotesVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.005
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000