CVE-2019-12741

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-12741

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12741.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-12741

Aliases

GHSA-52mh-p2m2-w625

Published

2019-06-05T15:29:01Z

Modified

2024-05-14T06:50:52.222282Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

References

Affected packages

Git / github.com/hapifhir/hapi-fhir

Affected ranges

Type: GIT
Repo: https://github.com/hapifhir/hapi-fhir
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8f41159eb147eeb964cad68b28eff97acac6ea9a

Type: GIT
Repo: https://github.com/jamesagnew/hapi-fhir
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

73aa53be8fe5496e81d4a88a0bca25dfb078138b

Affected versions

v0.*

v0.4

v0.5

v0.6

v0.7

v0.8

v0.9

v1.*

v1.0

v1.1

v1.2

v1.3

v1.4

v1.5

v1.6

v2.*

v2.0

v2.1

v2.2

v2.3

v2.4

v2.5

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.3.0

v3.4.0

v3.5.0

v3.6.0

v3.7.0