A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed.
References
Link | Resource |
---|---|
https://issues.openmrs.org/browse/HTML-730 | Vendor Advisory |
https://github.com/openmrs/openmrs-module-uiframework/pull/59 | Patch Third Party Advisory |
https://www.contrastsecurity.com/security-influencers | Third Party Advisory |
https://github.com/openmrs/openmrs-module-htmlformentry/pull/178 | Patch Third Party Advisory |
https://www.contrastsecurity.com/security-influencers/authenticated-remote-code-execution-openmrs | Exploit Third Party Advisory |
Configurations
Information
Published : 2020-09-24 21:23
Updated : 2020-10-05 11:41
NVD link : CVE-2020-24621
Mitre link : CVE-2020-24621
JSON object : View
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Products Affected
openmrs
- htmlformentry