CVE-2022-4727
LOWOpenMRS Appointment Scheduling Module < 1.17.0 - Cross-Site Scripting in Notes Handler
Title source: llmDescription
A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x. This affects the function getNotes of the file api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java of the component Notes Handler. The manipulation of the argument notes leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.17.0 is able to address this issue. The name of the patch is 2ccbe39c020809765de41eeb8ee4c70b5ec49cc8. It is recommended to upgrade the affected component. The identifier VDB-216741 was assigned to this vulnerability.
References (4)
Core 4
Core References
Patch, Third Party Advisory
https://github.com/openmrs/openmrs-module-appointmentscheduling/commit/2ccbe39c020809765de41eeb8ee4c70b5ec49cc8
Patch, Third Party Advisory
https://github.com/openmrs/openmrs-module-appointmentscheduling/pull/39
Release Notes, Third Party Advisory
https://github.com/openmrs/openmrs-module-appointmentscheduling/releases/tag/1.17.0
Third Party Advisory
https://vuldb.com/?id.216741
Scores
CVSS v3
3.5
EPSS
0.0088
EPSS Percentile
54.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-79
CWE-707
Status
published
Products (1)
openmrs/appointment_scheduling_module
< 1.17.0
Published
Dec 27, 2022
Tracked Since
Feb 18, 2026