CVE-2020-24621 Information

Description

A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/openmrs/openmrs-module-htmlformentry/pull/178 https://github.com/openmrs/openmrs-module-uiframework/pull/59 https://issues.openmrs.org/browse/HTML-730 https://www.contrastsecurity.com/security-influencers https://www.contrastsecurity.com/security-influencers/authenticated-remote-code-execution-openmrs

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8