GHSA-vpxm-cr3r-pjp9: 
Java vulnerability analysis and mitigation

A critical security advisory was issued for OpenMRS on January 30, 2025, following a third-party penetration testing assessment. The vulnerability affects multiple OpenMRS modules including the core platform (versions < 2.6.11), addresshierarchy (versions < 2.19.0), attachments (versions < 3.6.0), idgen (versions < 4.14.0), legacyui (versions < 1.21.0), and patientflags (versions < 3.0.8). The assessment was conducted on the OpenMRS v3 Reference Application (O3 RefApp), though the findings also impact modules commonly used in older OpenMRS applications (GitHub Advisory).

The security assessment revealed multiple vulnerabilities including broken access control (leading to inappropriate admin access), phishing vulnerabilities, and stored XSS issues related to vulnerable passwords. The vulnerabilities are tracked under CWE-209, CWE-284, CWE-601, and CWE-614. After implementing fixes, the OpenMRS O3 RefApp achieved a Security Level of 'Excellent, Grade A'. Notably, no vulnerabilities were discovered in the O3 frontend esm modules (GitHub Advisory).

The vulnerabilities affect all OpenMRS instances and could potentially allow unauthorized administrative access, enable phishing attacks, and exploit stored XSS vulnerabilities. The impact is considered critical, affecting both newer and older OpenMRS applications including the O2 RefApp (GitHub Advisory).

Users are strongly recommended to upgrade to the patched versions: Platform 2.6.11+ (or 2.7+), Legacy UI OMOD 1.21.0+, ID Gen OMOD 4.14.0+, Address Hierarchy OMOD 2.19.0+, Attachments OMOD 3.6.0+, and Patient Flags OMOD 3.0.8+. For Bahmni ecosystem users on Platform 2.5+, version 2.5.14 includes the necessary patches. No practical workarounds exist without upgrading, as removing affected OMODs would severely impact system functionality (GitHub Advisory).