XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| ca.uhn.hapi.fhir:hapi-fhir-base(Maven) | 0 | 3.8.0 | N/A |
CVSS Metrics
