Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2018-19276
PUBLISHEDOpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary...
- Vendor
- OpenMRS
- Product
- OpenMRS
- Published
- Mar 17, 2019
- EPSS
- —
Description
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
CVSS scores
CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N
Exploitation status
Proof of concept available
Recorded 2019-03-11 21:28:55 UTC · Source
References
- http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html
- https://www.exploit-db.com/exploits/46327/
- http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html
- https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization
- https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) | Jun 21, 2025 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-19276.yaml | Jun 02, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openmrs_deserialization.rb | Apr 28, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2019-03-11 21:28:55 UTC · 16 stars
CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Timeline
-
CVE ID Reserved
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
Detected by Metasploit
-
Detected by Nuclei
-
Added to KEVIntel