{"id":"CVE-2017-7990","details":"The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.","modified":"2026-03-14T09:24:10.575464Z","published":"2017-04-21T00:59:00.180Z","references":[{"type":"FIX","url":"https://github.com/openmrs/openmrs-module-reporting/pull/141/commits/0023a659288538d2763835847d3414ecb18b931a#diff-50e25eddc5909110fa3d31090877c2fd"},{"type":"EVIDENCE","url":"https://www.youtube.com/watch?v=pfrIaNvIuFY"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openmrs/openmrs-module-reporting","events":[{"introduced":"0"},{"last_affected":"8eaca42029a54fb51d75cd79511767bec84c0cd3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.12.0"}]}}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.11.0","0.7.2.2","0.7.3","0.7.3.1","0.7.4","0.7.4.1","0.7.5","0.7.6","0.7.7","0.7.8","0.8","0.8.1","0.8.2","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.8.1","0.9.9","1.12.0","reporting-0.7.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}