{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openmrs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-web (\u003c= 2.7.8)","openmrs-web (\u003e= 2.8.0, \u003c= 2.8.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","zip-slip","rce","openmrs","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the \u003ccode\u003ePOST /openmrs/ws/rest/v1/module\u003c/code\u003e endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted \u003ccode\u003e.omod\u003c/code\u003e archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e function, an oversight compared to other extraction methods within the same codebase that are properly protected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e.omod\u003c/code\u003e file containing a ZIP entry with a path traversal payload, such as \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint, uploading the malicious \u003ccode\u003e.omod\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and parses the uploaded \u003ccode\u003e.omod\u003c/code\u003e file, treating it as a ZIP archive.\u003c/li\u003e\n\u003cli\u003eDuring module loading via \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e, the server extracts entries under the \u003ccode\u003eweb/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete check, the entry \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e passes the initial validation.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended \u003ccode\u003eWEB-INF/view/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eIf the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS\u0026rsquo;s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenMRS Malicious Module Upload\u003c/code\u003e to identify exploitation attempts based on HTTP requests to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint with suspicious file extensions in the query parameters.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule \u003ccode\u003eDetect JSP File Creation in Web Application Root\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eEnforce the \u003ccode\u003emodule.allow_web_admin\u003c/code\u003e restriction consistently across all module upload entry points, including the REST API to prevent bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:39:31Z","date_published":"2026-05-04T17:39:31Z","id":"/briefs/2024-01-openmrs-zip-slip/","summary":"OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.","title":"OpenMRS Module Upload Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-api (\u003e= 2.7.0, \u003c 2.7.9)","openmrs-api (\u003e= 2.8.0, \u003c 2.8.6)"],"_cs_severities":["critical"],"_cs_tags":["ssti","rce","velocity","openmrs"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS is vulnerable to a critical security flaw stemming from the unsafe use of Apache Velocity templates. Specifically, the \u003ccode\u003eConceptReferenceRangeUtility.evaluateCriteria()\u003c/code\u003e method processes database-stored criteria strings as Velocity templates without any sandbox restrictions. This allows for unrestricted Java reflection through template expressions. A user possessing the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege can inject a malicious Velocity template expression into a concept\u0026rsquo;s reference range criteria field. This payload will then execute automatically whenever a user or an API call validates an observation against the compromised concept. This issue impacts OpenMRS versions 2.7.0 through 2.7.8, and 2.8.0 through 2.8.5. Successful exploitation allows an attacker to escalate privileges from content management to arbitrary code execution as the Tomcat application server process, with the potential for exfiltration of protected health information (PHI). The vulnerability is identified as CVE-2026-41258.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an OpenMRS account with the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the concept dictionary management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a commonly used concept, such as one for a standard clinical measurement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the concept and injects a malicious Velocity template expression into the concept\u0026rsquo;s reference range criteria field. The expression leverages Java reflection to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe malicious template is saved and stored in the \u003ccode\u003econcept_reference_range\u003c/code\u003e database table.\u003c/li\u003e\n\u003cli\u003eA user or API call validates an observation against the affected concept, triggering the execution of the stored Velocity template.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the Tomcat application server process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing a web shell for persistent access or exfiltrating patient data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for persistent remote code execution on the OpenMRS server. The injected payload persists within the \u003ccode\u003econcept_reference_range\u003c/code\u003e database table (VARCHAR 65535). A single compromised concept, especially one used for common clinical measurements, can lead to the execution of the malicious payload on every subsequent observation validation across all users, API clients, and integrations. This affects all facilities using the compromised OpenMRS instance. The attacker can escalate privileges from content dictionary management to arbitrary code execution and potentially exfiltrate PHI data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS to version 2.8.6 or 2.7.9 or later to patch CVE-2026-41258.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege to only authorized users, as mentioned in the advisory\u0026rsquo;s workarounds.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule detecting Velocity template injection attempts to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement database monitoring to detect unauthorized modifications to the \u003ccode\u003econcept_reference_range\u003c/code\u003e table to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-ssti/","summary":"OpenMRS is vulnerable to a Stored Velocity SSTI to RCE via ConceptReferenceRange, where the `ConceptReferenceRangeUtility.evaluateCriteria()` method evaluates database-stored criteria strings as Apache Velocity templates without a sandbox, allowing unrestricted Java reflection through template expressions, leading to persistent remote code execution and privilege escalation when a user with the `Manage Concepts` privilege stores a malicious Velocity template expression in a concept's reference range criteria field.","title":"OpenMRS Stored Velocity SSTI to RCE via ConceptReferenceRange","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Tomcat","OpenMRS Core","openmrs-web"],"_cs_severities":["high"],"_cs_tags":["path-traversal","information-disclosure","openmrs"],"_cs_type":"advisory","_cs_vendors":["Apache","OpenMRS"],"content_html":"\u003cp\u003eOpenMRS Core, a widely used open-source medical record system, is vulnerable to a path traversal attack via the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e. This flaw affects versions up to 2.7.8 and versions 2.8.0 through 2.8.5. An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL to read arbitrary files from the server\u0026rsquo;s filesystem. The vulnerability exists because the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e component fails to properly validate user-supplied path input when serving static module resources. This vulnerability is particularly critical because the affected endpoint is not protected by authentication filters, and successful exploitation depends on running Apache Tomcat versions before 8.5.31 or prior to 9.0.10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenMRS instance running on a susceptible Tomcat version.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid module ID installed on the target OpenMRS instance (e.g., \u003ccode\u003elegacyui\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the \u003ccode\u003e/openmrs/moduleResources/{moduleid}\u003c/code\u003e endpoint containing a path traversal sequence (e.g., \u003ccode\u003e..;\u003c/code\u003e) within the URL. The request attempts to access a sensitive file, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e receives the request and extracts the path information without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path by concatenating the web application root, module path, module ID, \u0026ldquo;resources,\u0026rdquo; and the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eDue to missing path sanitization and normalization, the resulting file path points to the attacker-specified file outside the intended resources directory.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the arbitrary file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns the file content in the HTTP response to the attacker, resulting in information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to read arbitrary files on the OpenMRS server. This can lead to the exposure of sensitive information, including system configuration files containing database credentials, potentially compromising the entire application and patient data. The number of affected deployments is unknown, but any OpenMRS instance running vulnerable versions on older Tomcat installations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS Core to a patched version beyond 2.8.5 to address CVE-2026-40075.\u003c/li\u003e\n\u003cli\u003eAs a short-term mitigation, upgrade Apache Tomcat to version 8.5.31 or later, or 9.0.10 or later, to leverage container-level path traversal protection.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts against the vulnerable \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URL patterns containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..;\u003c/code\u003e, \u003ccode\u003e%2e%2e%2f\u003c/code\u003e) targeting the \u003ccode\u003e/openmrs/moduleResources/\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-path-traversal/","summary":"OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.","title":"OpenMRS ModuleResourcesServlet Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Openmrs","version":"https://jsonfeed.org/version/1.1"}