OpenMRS 2.3 (1.11.4) Multiple Cross-Site Scripting Vulnerabilities

Title: OpenMRS 2.3 (1.11.4) Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2015-5287
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.12.2015
OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.
OpenMRS suffers from multiple stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
OpenMRS Inc. -
Affected Version
OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Tested On
Ubuntu 12.04.5 LTS
Apache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
Vendor Status
[02.11.2015] Vulnerability discovered.
[10.11.2015] Vendor contacted via
[10.11.2015] Vendor responds instructing us to create OpenMRS ID and post to developer category on
[10.11.2015] Issues with registration.
[11.11.2015] Contacting
[12.11.2015] Sent information to the vendor on IRC channel.
[14.11.2015] Vendor responds asking more details.
[14.11.2015] Sent details to the vendor.
[16.11.2015] Vendor confirms issues, working on patch.
[25.11.2015] Asked vendor for status update.
[25.11.2015] Vendor informs that patches are done, testing before release probably next week.
[30.11.2015] Vendor releases new modules to address these issues.
[02.12.2015] Vendor releases new official version 2.3.1 to address these issues.
[07.12.2015] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <>
[07.12.2015] - Initial release
[08.12.2015] - Added reference [11], [12] and [13]
[10.12.2015] - Added reference [14] and [15]
Zero Science Lab