{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "3.11.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "56e5ededf74f1bb9d23270db73dfed93ce70c508"
            }
          ],
          "repo": "https://github.com/openmrs/openmrs-module-htmlformentry",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed.",
  "id": "CVE-2020-24621",
  "modified": "2026-04-01T23:10:31.245271237Z",
  "published": "2020-09-25T04:23:04.467Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://issues.openmrs.org/browse/HTML-730"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.contrastsecurity.com/security-influencers"
    },
    {
      "type": "FIX",
      "url": "https://github.com/openmrs/openmrs-module-uiframework/pull/59"
    },
    {
      "type": "FIX",
      "url": "https://github.com/openmrs/openmrs-module-htmlformentry/pull/178"
    },
    {
      "type": "EVIDENCE",
      "url": "https://www.contrastsecurity.com/security-influencers/authenticated-remote-code-execution-openmrs"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}