In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.opencrx:opencrx-core(Maven) | 4.0.0 | 5.2.0 | N/A |
| org.opencrx:opencrx-core-models(Maven) | 4.0.0 | 5.2.0 | N/A |
| org.opencrx:opencrx-core-config(Maven) | 4.0.0 | 5.2.0 | N/A |
| org.opencrx:opencrx-client(Maven) | 4.0.0 | 5.2.0 | N/A |
| org.opencrx:opencrx-gradle(Maven) | 4.0.0 | 5.2.0 | N/A |
CVSS Metrics
