CVE-2020-24621

openmrs/openmrs-module-htmlformentry

on github

openmrs/openmrs-module-uiframework

on github

Published

September 25, 2020

Severity

CVSS v3:

8.8 HIGH

CVSS v2:

6.5 MEDIUM

Description

A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed.

References

https://issues.openmrs.org/browse/HTML-730
https://github.com/openmrs/openmrs-module-uiframework/pull/59
https://www.contrastsecurity.com/security-influencers
https://github.com/openmrs/openmrs-module-htmlformentry/pull/178
https://www.contrastsecurity.com/security-influencers/authenticated-remote-code-execution-openmrs

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:openmrs:htmlformentry::::::openmrs::*	n/a	3.11.0	*

External Links

NVD - CVE-2020-24621