Posted by Brian Hysell on Jan 06

Title: Unauthenticated remote code execution in OpenMRS
Product: OpenMRS
Vendor: OpenMRS Inc.
Tested versions: See summary
Status: Fixed by vendor
Reported by: Brian D. Hysell

Product description:

OpenMRS is “the world’s leading open source enterprise electronic
medical record system platform.”

Vulnerability summary:

The OpenMRS Reporting Module 0.9.7 passes untrusted XML input to a
version of the XStream library vulnerable to…