CVE-2018-19276
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- November 14, 2018
- Published Date
- March 17, 2019
- Last Updated
- August 05, 2024
- Vendor
- OpenMRS
- Product
- OpenMRS
- Description
- OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
- Tags
- Score
- 92.08% (Percentile: 99.69%) as of 2025-06-14
- Exploited in the Wild
- Yes (2025-05-29 00:00:00 UTC) Source
CVSS Scores
CVSS v3.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v3.0
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v2.0
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS Score
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-30 12:00:41 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-19276.yaml | 2025-05-23 08:30:16 UTC |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openmrs_deserialization.rb | 2025-04-29 11:01:22 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
openmrs_deserialization
Type: metasploit • Created: Unknown
mpgn/CVE-2018-19276
Type: github • Created: 2019-03-11 21:28:55 UTC • Stars: 16
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Metasploit
-
Detected by Nuclei
-
Added to KEVIntel