Plattform
java
Komponente
openmrs-module-appointmentscheduling
Behoben in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
1.9.1
1.10.1
1.11.1
1.12.1
CVE-2020-36635 is a cross-site scripting (XSS) vulnerability affecting the OpenMRS Appointment Scheduling Module. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts versions 1.0 through 1.12.x and can be resolved by upgrading to version 1.13.0.
Successful exploitation of CVE-2020-36635 allows an attacker to inject arbitrary JavaScript code into the OpenMRS Appointment Scheduling Module. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies. An attacker could leverage this to impersonate legitimate users, modify data, or redirect users to malicious websites. The impact is amplified if the OpenMRS instance handles Protected Health Information (PHI), as attackers could potentially steal or manipulate this data. While the CVSS score is LOW, the potential for user compromise and data exposure warrants immediate attention.
CVE-2020-36635 was publicly disclosed on December 27, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept exploits have been widely published, but the XSS nature of the vulnerability makes it relatively easy to exploit. It is not listed on the CISA KEV catalog.
Healthcare organizations and clinics utilizing OpenMRS with the Appointment Scheduling Module versions 1.0 through 1.12.x are at risk. Specifically, deployments that handle sensitive patient data or rely on the appointment scheduling module for critical functionality are particularly vulnerable. Shared hosting environments running OpenMRS are also at increased risk due to potential cross-tenant vulnerabilities.
• linux / server: Monitor OpenMRS application logs for suspicious JavaScript injection attempts. Use grep to search for patterns like <script or onerror=.
grep -i '<script' /var/log/openmrs/application.log• generic web: Use curl to test the appointment scheduling API endpoints with various payloads and observe the response for signs of script execution.
curl -X POST -d '<script>alert("XSS")</script>' <appointment_scheduling_api_endpoint>disclosure
Exploit-Status
EPSS
0.29% (52% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-36635 is to upgrade the OpenMRS Appointment Scheduling Module to version 1.13.0 or later. This version includes a fix for the vulnerable code. If immediate upgrading is not possible, consider implementing input validation and output encoding on the validateFieldName function to sanitize user-supplied data. While not a complete solution, this can reduce the attack surface. Review and strengthen web application firewall (WAF) rules to detect and block XSS attempts targeting the appointment scheduling API. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the appointment scheduling API and verifying that it is properly sanitized.
Actualice el módulo Appointment Scheduling a la versión 1.13.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) en la función validateFieldName. La actualización se puede realizar a través del administrador de módulos de OpenMRS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-36635 is a cross-site scripting (XSS) vulnerability in the OpenMRS Appointment Scheduling Module, allowing attackers to inject malicious scripts.
You are affected if you are using OpenMRS Appointment Scheduling Module versions 1.0 through 1.12.x.
Upgrade the OpenMRS Appointment Scheduling Module to version 1.13.0 or later. Implement input validation and output encoding as an interim measure.
There is no current evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the OpenMRS security advisories for detailed information and updates: [https://www.openmrs.org/security/](https://www.openmrs.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.