Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity.
Advisories for Maven/Org.opencrx/Opencrx-Core package
2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.
Improper Restriction of XML External Entity Reference
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
2022
Observable Discrepancy
OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.
2021
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
2020
Improper Authentication
OpenCRX suffers from an unverified password change vulnerability.