CVE-2020-5730

In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting.
Source: NIST
CVE-2020-5730