CVE-2020-5728

MEDIUM

OpenMRS < 2.9.0 - Stored Cross-Site Scripting via Referrer Header

Title source: llm
STIX 2.1

Description

OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2020-18

Scores

CVSS v3 6.1
EPSS 0.0114
EPSS Percentile 62.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-20 CWE-79
Status published
Products (1)
openmrs/openmrs < 2.9.0
Published Apr 17, 2020
Tracked Since Feb 18, 2026