Openmrs

OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.

OpenMRS is vulnerable to a Stored Velocity SSTI to RCE via ConceptReferenceRange, where the `ConceptReferenceRangeUtility.evaluateCriteria()` method evaluates database-stored criteria strings as Apache Velocity templates without a sandbox, allowing unrestricted Java reflection through template expressions, leading to persistent remote code execution and privilege escalation when a user with the `Manage Concepts` privilege stores a malicious Velocity template expression in a concept's reference range criteria field.

OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.