Platform
java
Component
openmrs-module-appointmentscheduling
Fixed in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
1.9.1
1.10.1
1.11.1
1.12.1
CVE-2020-36635 is a cross-site scripting (XSS) vulnerability affecting the OpenMRS Appointment Scheduling Module. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts versions 1.0 through 1.12.x and can be resolved by upgrading to version 1.13.0.
Successful exploitation of CVE-2020-36635 allows an attacker to inject arbitrary JavaScript code into the OpenMRS Appointment Scheduling Module. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies. An attacker could leverage this to impersonate legitimate users, modify data, or redirect users to malicious websites. The impact is amplified if the OpenMRS instance handles Protected Health Information (PHI), as attackers could potentially steal or manipulate this data. While the CVSS score is LOW, the potential for user compromise and data exposure warrants immediate attention.
CVE-2020-36635 was publicly disclosed on December 27, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept exploits have been widely published, but the XSS nature of the vulnerability makes it relatively easy to exploit. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.29% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2020-36635 is to upgrade the OpenMRS Appointment Scheduling Module to version 1.13.0 or later. This version includes a fix for the vulnerable code. If immediate upgrading is not possible, consider implementing input validation and output encoding on the validateFieldName function to sanitize user-supplied data. While not a complete solution, this can reduce the attack surface. Review and strengthen web application firewall (WAF) rules to detect and block XSS attempts targeting the appointment scheduling API. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the appointment scheduling API and verifying that it is properly sanitized.
Actualice el módulo Appointment Scheduling a la versión 1.13.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) en la función validateFieldName. La actualización se puede realizar a través del administrador de módulos de OpenMRS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-36635 is a cross-site scripting (XSS) vulnerability in the OpenMRS Appointment Scheduling Module, allowing attackers to inject malicious scripts.
You are affected if you are using OpenMRS Appointment Scheduling Module versions 1.0 through 1.12.x.
Upgrade the OpenMRS Appointment Scheduling Module to version 1.13.0 or later. Implement input validation and output encoding as an interim measure.
There is no current evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the OpenMRS security advisories for detailed information and updates: [https://www.openmrs.org/security/](https://www.openmrs.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.