Search criteria
6 vulnerabilities by hl7
CVE-2025-24363 (GCVE-0-2025-24363)
Vulnerability from cvelistv5 – Published: 2025-01-24 18:54 – Updated: 2025-01-24 19:19
VLAI?
Summary
The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token.
Severity ?
4.2 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HL7 | fhir-ig-publisher |
Affected:
< 1.8.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T19:19:09.087937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:19:20.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fhir-ig-publisher",
"vendor": "HL7",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:14:51.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9"
}
],
"source": {
"advisory": "GHSA-6729-95v3-pjc2",
"discovery": "UNKNOWN"
},
"title": "The HL7 FHIR IG publisher may potentially expose GitHub repo user and credential information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24363",
"datePublished": "2025-01-24T18:54:44.179Z",
"dateReserved": "2025-01-20T15:18:26.990Z",
"dateUpdated": "2025-01-24T19:19:20.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52807 (GCVE-0-2024-52807)
Vulnerability from cvelistv5 – Published: 2025-01-24 18:34 – Updated: 2025-01-24 19:42
VLAI?
Summary
The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available.
Severity ?
8.6 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HL7 | fhir-ig-publisher |
Affected:
< 1.7.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T19:33:43.454536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:42:52.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fhir-ig-publisher",
"vendor": "HL7",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]\u003e` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T18:34:23.255Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4"
}
],
"source": {
"advisory": "GHSA-8c3x-hq82-gjcm",
"discovery": "UNKNOWN"
},
"title": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52807",
"datePublished": "2025-01-24T18:34:23.255Z",
"dateReserved": "2024-11-15T17:11:13.442Z",
"dateUpdated": "2025-01-24T19:42:52.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24057 (GCVE-0-2023-24057)
Vulnerability from cvelistv5 – Published: 2023-01-24 00:00 – Updated: 2025-04-01 19:26
VLAI?
Summary
HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged terminology cache, NPM package, or comparison archive).
Severity ?
8.1 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:49:09.017Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-xr8x-pxm6-prjg"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24057",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T19:25:38.708897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T19:26:42.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged terminology cache, NPM package, or comparison archive)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-24T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-xr8x-pxm6-prjg"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-24057",
"datePublished": "2023-01-24T00:00:00.000Z",
"dateReserved": "2023-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-01T19:26:42.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-5452 (GCVE-0-2014-5452)
Vulnerability from cvelistv5 – Published: 2014-09-02 10:00 – Updated: 2024-08-06 11:48
VLAI?
Summary
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:48:48.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"name": "69633",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/69633"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
},
{
"name": "1033511",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033511"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21699588"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-20T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"name": "69633",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/69633"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
},
{
"name": "1033511",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033511"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21699588"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5452",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html",
"refsource": "CONFIRM",
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"name": "69633",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/69633"
},
{
"name": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088",
"refsource": "CONFIRM",
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"name": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/",
"refsource": "MISC",
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
},
{
"name": "1033511",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033511"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21699588",
"refsource": "CONFIRM",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21699588"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-5452",
"datePublished": "2014-09-02T10:00:00",
"dateReserved": "2014-08-25T00:00:00",
"dateUpdated": "2024-08-06T11:48:48.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3861 (GCVE-0-2014-3861)
Vulnerability from cvelistv5 – Published: 2014-09-02 10:00 – Updated: 2024-08-06 10:57
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-09-02T03:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html",
"refsource": "CONFIRM",
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"name": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088",
"refsource": "CONFIRM",
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"name": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/",
"refsource": "MISC",
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3861",
"datePublished": "2014-09-02T10:00:00",
"dateReserved": "2014-05-25T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3862 (GCVE-0-2014-3862)
Vulnerability from cvelistv5 – Published: 2014-09-02 10:00 – Updated: 2024-08-06 10:57
VLAI?
Summary
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-09-02T03:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html",
"refsource": "CONFIRM",
"url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"
},
{
"name": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088",
"refsource": "CONFIRM",
"url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView\u0026release_id=1088"
},
{
"name": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/",
"refsource": "MISC",
"url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3862",
"datePublished": "2014-09-02T10:00:00",
"dateReserved": "2014-05-25T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}