10 matches found
CVE-2022-24848
DHIS2 SQL Injection (CVE-2022-24848) affects the API endpoint /api/programs/orgUnits?programs= for DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The vulnerability requires the attacker to be logged in as a DHIS2 user and could allow reading, editing, or deleting data in the instance’s database....
CVE-2022-41948
CVE-2022-41948 describes a privilege-escalation in DHIS 2 core where a user with authority to manage users can self-assign superuser privileges by crafting an HTTP PUT request. The root cause is improper handling of user-management authority that allows self-elevation if the attacker is authentic...
CVE-2022-41949
CVE-2022-41949 affects DHIS 2 core. An authenticated DHIS2 user can craft a request that makes the server fetch external resources, enabling a semi‑blind Server-Side Request Forgery (SSRF) in the dhis2-core component. This can allow an attacker to identify vulnerable services not publicly exposed...
CVE-2022-41947
CVE-2022-41947 describes a cross-site scripting (XSS) vulnerability in DHIS 2 core where an authenticated user can upload a file containing embedded JavaScript, which could be triggered when another authenticated user opens the file in a browser. Affected versions are DHIS 2 prior to 2.36.12.1, 2...
CVE-2021-32704
DHIS 2 SQL injection (CVE-2021-32704) affects the API endpoint /api/trackedEntityInstances in DHIS2 versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0. The vulnerability is a SQL injection that can be exploited by a logged-in DHIS2 user, potentially allowing reading, editing, and deleting data w...
CVE-2023-31139
DHIS2 Core contains the service layer and Web API. The issue arises in versions prior to 2.37.9.1, 2.38.3.1, and 2.39.1.2, where Personal Access Tokens (PATs) generate unrestricted session cookies, potentially bypassing other access controls (e.g., IP restrictions or HTTP methods). Impact is a by...
CVE-2023-32060
CVE-2023-32060 affects DHIS2 Core from the 2.35 branch prior to fixes: versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0. The issue is an improper access control for Category Option Combination Sharing that can cause the API endpoints /trackedEntityInstances and /events to return all events regardless...
CVE-2021-39179
CVE-2021-39179 concerns DHIS2 Tracker API SQL injection affecting authenticated users. Provided documents (NVD, Red Hat RH, OSV, CVE lists) describe a SQL injection in the Tracker component that can be triggered via POST paths /api/trackedEntityInstances and /api/trackedEntityInstances/query, imp...
CVE-2021-41187
CVE-2021-41187 concerns DHIS 2. A SQL injection vulnerability exists in specific DHIS2 versions (2.32, 2.33, 2.34, 2.35, 2.36) affecting the REST endpoints for /api/trackedEntityInstances and /api/events . Exploitation requires the attacker to be an authenticated DHIS2 user, and successful exploi...
CVE-2023-31138
CVE-2023-31138 affects DHIS2 Core: starting in the 2.36 branch and before 2.37.9.1, 2.38.3.1, or 2.39.1.2, authenticated users with write access to an object may modify related objects via object model traversal in a PATCH payload. Mitigation is to upgrade to a supported version: 2.37.9.1, 2.38.3...