![]() |
Description: Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
v2.13.4
v2.12.10
v2.11.13
Workarounds
There is no workaround other than upgrading.
References
Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
References
https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j
https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107
https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
https://github.com/advisories/GHSA-47g2-qmh2-749v
January 30th, 2025 (5 months ago)
|
![]() |
Description: Impact
We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.
This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.
Vulnerability Details
The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
No vulnerabilities were found in the O3 frontend esm modules.
The Letter of Attestation from the penetration test is available here for your reference.
After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.
Patches
Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
Platform 2.6.11+
How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.prope...
January 30th, 2025 (5 months ago)
|
![]() |
Description: Impact
We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.
This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.
Vulnerability Details
The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
No vulnerabilities were found in the O3 frontend esm modules.
The Letter of Attestation from the penetration test is available here for your reference.
After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.
Patches
Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
Platform 2.6.11+
How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.prope...
January 30th, 2025 (5 months ago)
|
![]() |
Description: Impact
We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.
This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.
Vulnerability Details
The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
No vulnerabilities were found in the O3 frontend esm modules.
The Letter of Attestation from the penetration test is available here for your reference.
After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.
Patches
Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
Platform 2.6.11+
How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.prope...
January 30th, 2025 (5 months ago)
|
![]() |
Description: Impact
We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.
This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.
Vulnerability Details
The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
No vulnerabilities were found in the O3 frontend esm modules.
The Letter of Attestation from the penetration test is available here for your reference.
After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.
Patches
Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
Platform 2.6.11+
How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.prope...
January 30th, 2025 (5 months ago)
|
![]() |
Description: Impact
We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.
This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.
Vulnerability Details
The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
No vulnerabilities were found in the O3 frontend esm modules.
The Letter of Attestation from the penetration test is available here for your reference.
After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.
Patches
Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
Platform 2.6.11+
How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.prope...
January 30th, 2025 (5 months ago)
|
![]() |
Description: Impact
We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.
This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.
Vulnerability Details
The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
No vulnerabilities were found in the O3 frontend esm modules.
The Letter of Attestation from the penetration test is available here for your reference.
After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.
Patches
Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
Platform 2.6.11+
How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.prope...
January 30th, 2025 (5 months ago)
|
CVE-2024-55416 |
Description: DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-55416
https://github.com/thedevdojo/voyager/blob/1.6/resources/views/master.blade.php#L132
https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L44
https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities
https://github.com/advisories/GHSA-mm49-4f2g-c3wf
EPSS Score: 0.07%
January 30th, 2025 (5 months ago)
|
CVE-2024-55415 |
Description: DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-55415
https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L213
https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L44
https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities
https://github.com/advisories/GHSA-j63m-2vr6-fv7m
EPSS Score: 0.07%
January 30th, 2025 (5 months ago)
|
![]() |
Description: The New York Blood Center (NYBC), one of the world's largest independent blood collection and distribution organizations, says a Sunday ransomware attack forced it to reschedule some appointments. [...]
January 30th, 2025 (5 months ago)
|