OpenMRS Security Advisory
Exploit: allows Remote Code Execution without needing to log in.
What versions are affected?
Html Form Entry module (all versions)
Reporting compatibility module (all versions)
OpenMRS Reference Application (all versions)
Anyone running the html form entry or reporting compatibility module (included in the Reference Application) should immediately upgrade to the latest released versions of the modules, which are available here.
This includes anyone running any version of the OpenMRS Reference Application, as well as anyone who has installed the above modules on top of an OpenMRS Platform release, a new version of the reference application is available here.
A huge thank you goes out to @isears who and his team identified the vulnerabilities and worked with us to get them addressed.