Vulnerability CVE-2018-19276


Published: 2019-03-21

Description:
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

See advisories in our WLB2 database:
Topic
Author
Date
High
OpenMRS Platform Insecure Object Deserialization
Bishop Fox
05.02.2019

Type:

CWE-502

(Deserialization of Untrusted Data)

Vendor: Openmrs
Product: Openmrs 
Version: 2.1;

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html
https://www.exploit-db.com/exploits/46327/

Related CVE
CVE-2017-12795
OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper Input Validation).
CVE-2018-16521
An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.
CVE-2017-12796
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated u...
CVE-2017-7990
The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
CVE-2014-8073
Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standalone Edition allows remote attackers to hijack the authentication of administrators for requests that add a new user via a Save User action to admin/users/user.form.
CVE-2014-8072
The administration module in OpenMRS 2.1 Standalone Edition allows remote authenticated users to obtain read access via a direct request to /admin.
CVE-2014-8071
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/regi...

Copyright 2019, cxsecurity.com

 

Back to Top