Platform
java
Component
openmrs-module-adminui
Fixed in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
CVE-2020-36636 describes a problematic cross-site scripting (XSS) vulnerability discovered in the OpenMRS Admin UI Module. This flaw resides within the sendErrorMessage function of the AccountPageController.java file, allowing attackers to inject malicious scripts. The vulnerability affects versions 1.0 through 1.4 of the module and can be exploited remotely. A fix is available in version 1.5.0.
Successful exploitation of CVE-2020-36636 allows an attacker to inject arbitrary JavaScript code into the OpenMRS Admin UI Module. This can lead to a variety of malicious outcomes, including session hijacking, phishing attacks, and defacement of the administrative interface. An attacker could potentially steal sensitive user credentials, modify system configurations, or gain unauthorized access to patient data stored within the OpenMRS system. The impact is particularly severe given the module's role in managing user accounts and system settings within the OpenMRS platform.
CVE-2020-36636 was publicly disclosed in December 2022. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) code has been widely released, but the nature of XSS vulnerabilities makes it likely that a PoC could be developed relatively easily. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.29% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2020-36636 is to upgrade the OpenMRS Admin UI Module to version 1.5.0 or later. This version includes a patch (702fbfdac7c4418f23bb5f6452482b4a88020061) that addresses the vulnerability. If immediate upgrading is not feasible, consider implementing input validation and output encoding on user-supplied data within the sendErrorMessage function as a temporary workaround. While not a complete solution, this can reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the error message field and verifying that it is properly sanitized and does not execute.
Actualice el módulo Admin UI a la versión 1.5.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de cross-site scripting. La actualización se puede realizar a través del administrador de módulos de OpenMRS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-36636 is a cross-site scripting (XSS) vulnerability affecting OpenMRS Admin UI Module versions 1.0 through 1.4, allowing attackers to inject malicious scripts.
You are affected if you are using OpenMRS Admin UI Module versions 1.0, 1.1, 1.2, 1.3, or 1.4. Upgrade to version 1.5.0 or later to mitigate the risk.
Upgrade the OpenMRS Admin UI Module to version 1.5.0 or later. The patch identifier is 702fbfdac7c4418f23bb5f6452482b4a88020061.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-36636, but the vulnerability's nature makes it a potential target.
Refer to the OpenMRS security advisories for detailed information and updates regarding CVE-2020-36636: [https://www.openmrs.org/security/](https://www.openmrs.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.