Vendor CVEs
Openmrs
All CVEs
33 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-12796 | Cri | 0.64 | 9.8 | 0.04 | Oct 23, 2017 | The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute… | ||
| CVE-2017-7990 | Hig | 0.57 | 8.8 | 0.01 | Apr 21, 2017 | The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp. | ||
| CVE-2026-41258 | Cri | 0.52 | 9.1 | 0.00 | May 15, 2026 | OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox… | ||
| CVE-2026-40076 | Hig | 0.50 | 8.8 | 0.01 | May 6, 2026 | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic… | ||
| CVE-2025-46823 | Hig | 0.45 | — | 0.00 | May 29, 2025 | openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit… | ||
| CVE-2026-40075 | Hig | 0.42 | 7.5 | 0.01 | May 5, 2026 | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a… | ||
| CVE-2018-19276 | 0.10 | — | 0.99 | Mar 17, 2019 | OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body. | |||
| CVE-2025-25927 | 0.00 | — | 0.00 | Mar 11, 2025 | A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request. | |||
| CVE-2025-25929 | 0.00 | — | 0.00 | Mar 11, 2025 | A reflected cross-site scripting (XSS) vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter. | |||
| CVE-2025-25925 | 0.00 | — | 0.00 | Mar 11, 2025 | A stored cross-scripting (XSS) vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/shortPatientForm.form. | |||
| CVE-2025-25928 | 0.00 | — | 0.00 | Mar 11, 2025 | A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. In this case, an attacker could elevate a low-privileged account to an administrative role by… | |||
| CVE-2020-36636 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability classified as problematic has been found in OpenMRS Admin UI Module up to 1.4.x. Affected is the function sendErrorMessage of the file omod/src/main/java/org/openmrs/module/adminui/page/controller/systemadmin/accounts/AccountPageController.java of the component… | |||
| CVE-2021-4292 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/metadata/privileges/privilege.gsp of the component Manage Privilege Page. The manipulation leads… | |||
| CVE-2021-4291 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability was found in OpenMRS Admin UI Module up to 1.5.x. It has been declared as problematic. This vulnerability affects unknown code of the file omod/src/main/webapp/pages/metadata/locations/location.gsp. The manipulation leads to cross site scripting. The attack can… | |||
| CVE-2020-36635 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x. It has been classified as problematic. This affects the function validateFieldName of the file api/src/main/java/org/openmrs/module/appointmentscheduling/validator/AppointmentTypeValidator.java. The… | |||
| CVE-2021-4289 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability classified as problematic was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. Affected by this vulnerability is the function post of the file omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/UserAppPageController.java… | |||
| CVE-2021-4288 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/userApp.gsp. The manipulation leads to cross site scripting. The attack may… | |||
| CVE-2021-4284 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.0… | |||
| CVE-2022-4727 | 0.00 | — | 0.01 | Dec 24, 2022 | A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x. This affects the function getNotes of the file api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java of the component Notes… | |||
| CVE-2021-43094 | 0.00 | — | 0.01 | May 10, 2022 | An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page. | |||
| CVE-2022-23612 | 0.00 | — | 0.02 | Feb 22, 2022 | OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` &… | |||
| CVE-2020-24621 | 0.00 | — | 0.03 | Sep 25, 2020 | A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and… | |||
| CVE-2020-5731 | 0.00 | — | 0.01 | Apr 17, 2020 | In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page is vulnerable to cross-site scripting. | |||
| CVE-2020-5730 | 0.00 | — | 0.01 | Apr 17, 2020 | In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting. | |||
| CVE-2020-5729 | 0.00 | — | 0.01 | Apr 17, 2020 | In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue. | |||
| CVE-2020-5728 | 0.00 | — | 0.01 | Apr 17, 2020 | OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting. | |||
| CVE-2020-5733 | 0.00 | — | 0.01 | Apr 17, 2020 | In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows the export of potentially sensitive information. | |||
| CVE-2020-5732 | 0.00 | — | 0.01 | Apr 17, 2020 | In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows unauthenticated users to use a feature typically restricted to administrators. | |||
| CVE-2017-12795 | 0.00 | — | 0.02 | May 10, 2019 | OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper Input Validation). | |||
| CVE-2018-16521 | Cri | 0.00 | 9.8 | 0.02 | Sep 5, 2018 | An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0. | ||
| CVE-2014-8073 | 0.00 | — | 0.01 | Oct 23, 2014 | Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standalone Edition allows remote attackers to hijack the authentication of administrators for requests that add a new user via a Save User action to admin/users/user.form. | |||
| CVE-2014-8072 | 0.00 | — | 0.02 | Oct 23, 2014 | The administration module in OpenMRS 2.1 Standalone Edition allows remote authenticated users to obtain read access via a direct request to /admin. | |||
| CVE-2014-8071 | 0.00 | — | 0.02 | Oct 23, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5)… |
- risk 0.64cvss 9.8epss 0.04
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute…
- risk 0.57cvss 8.8epss 0.01
The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
- risk 0.52cvss 9.1epss 0.00
OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox…
- risk 0.50cvss 8.8epss 0.01
OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic…
- risk 0.45cvss —epss 0.00
openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit…
- risk 0.42cvss 7.5epss 0.01
OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a…
- CVE-2018-19276Mar 17, 2019risk 0.10cvss —epss 0.99
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
- CVE-2025-25927Mar 11, 2025risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request.
- CVE-2025-25929Mar 11, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter.
- CVE-2025-25925Mar 11, 2025risk 0.00cvss —epss 0.00
A stored cross-scripting (XSS) vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/shortPatientForm.form.
- CVE-2025-25928Mar 11, 2025risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. In this case, an attacker could elevate a low-privileged account to an administrative role by…
- CVE-2020-36636Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in OpenMRS Admin UI Module up to 1.4.x. Affected is the function sendErrorMessage of the file omod/src/main/java/org/openmrs/module/adminui/page/controller/systemadmin/accounts/AccountPageController.java of the component…
- CVE-2021-4292Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/metadata/privileges/privilege.gsp of the component Manage Privilege Page. The manipulation leads…
- CVE-2021-4291Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in OpenMRS Admin UI Module up to 1.5.x. It has been declared as problematic. This vulnerability affects unknown code of the file omod/src/main/webapp/pages/metadata/locations/location.gsp. The manipulation leads to cross site scripting. The attack can…
- CVE-2020-36635Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x. It has been classified as problematic. This affects the function validateFieldName of the file api/src/main/java/org/openmrs/module/appointmentscheduling/validator/AppointmentTypeValidator.java. The…
- CVE-2021-4289Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability classified as problematic was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. Affected by this vulnerability is the function post of the file omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/UserAppPageController.java…
- CVE-2021-4288Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/userApp.gsp. The manipulation leads to cross site scripting. The attack may…
- CVE-2021-4284Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.0…
- CVE-2022-4727Dec 24, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x. This affects the function getNotes of the file api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java of the component Notes…
- CVE-2021-43094May 10, 2022risk 0.00cvss —epss 0.01
An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page.
- CVE-2022-23612Feb 22, 2022risk 0.00cvss —epss 0.02
OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` &…
- CVE-2020-24621Sep 25, 2020risk 0.00cvss —epss 0.03
A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and…
- CVE-2020-5731Apr 17, 2020risk 0.00cvss —epss 0.01
In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page is vulnerable to cross-site scripting.
- CVE-2020-5730Apr 17, 2020risk 0.00cvss —epss 0.01
In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting.
- CVE-2020-5729Apr 17, 2020risk 0.00cvss —epss 0.01
In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue.
- CVE-2020-5728Apr 17, 2020risk 0.00cvss —epss 0.01
OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting.
- CVE-2020-5733Apr 17, 2020risk 0.00cvss —epss 0.01
In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows the export of potentially sensitive information.
- CVE-2020-5732Apr 17, 2020risk 0.00cvss —epss 0.01
In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows unauthenticated users to use a feature typically restricted to administrators.
- CVE-2017-12795May 10, 2019risk 0.00cvss —epss 0.02
OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper Input Validation).
- risk 0.00cvss 9.8epss 0.02
An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.
- CVE-2014-8073Oct 23, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standalone Edition allows remote attackers to hijack the authentication of administrators for requests that add a new user via a Save User action to admin/users/user.form.
- CVE-2014-8072Oct 23, 2014risk 0.00cvss —epss 0.02
The administration module in OpenMRS 2.1 Standalone Edition allows remote authenticated users to obtain read access via a direct request to /admin.
- CVE-2014-8071Oct 23, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5)…