{"id":"CVE-2020-24621","details":"A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed.","modified":"2026-04-10T04:24:59.826044Z","published":"2020-09-25T04:23:04.467Z","references":[{"type":"ADVISORY","url":"https://issues.openmrs.org/browse/HTML-730"},{"type":"ADVISORY","url":"https://www.contrastsecurity.com/security-influencers"},{"type":"FIX","url":"https://github.com/openmrs/openmrs-module-uiframework/pull/59"},{"type":"FIX","url":"https://github.com/openmrs/openmrs-module-htmlformentry/pull/178"},{"type":"EVIDENCE","url":"https://www.contrastsecurity.com/security-influencers/authenticated-remote-code-execution-openmrs"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openmrs/openmrs-module-htmlformentry","events":[{"introduced":"0"},{"fixed":"56e5ededf74f1bb9d23270db73dfed93ce70c508"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.11.0"}]}}],"versions":["1.8.0","1.8.1","1.9.0","1.9.1","1.9.2","1.9.3","1.9.4","2.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.1","2.1.1","2.1.2","2.1.3","2.1.4.1","2.1.5","2.2","2.2.1","2.3","2.4","2.5","2.7","3.0","3.1","3.10.0","3.3.0","3.3.1","3.3.2","3.5.1","3.6.0","3.7.0","3.8.0","3.9.2","htmlformentry-2.1.4","htmlformentry-2.4","openmrs-1.6.x","openmrs-1.7.x","v1.10.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24621.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}