CVE-2020-5728
OpenMRS 2.9 and earlier versions are affected by an input-validation issue where the application copies the Referrer header into an HTML element named redirectUrl on multiple pages (e.g., login.htm). The description notes insufficient validation for this parameter, enabling cross-site scripting. ...