Stream: hapi
Topic: XSS vulnerability in hapi-fhir-testpage-overlay
James Agnew (Jun 07 2019 at 12:29):
Hi All,
A quick note that a security research team discovered and disclosed a potential XSS vulnerability in the hapi-fhir-testpage-overlay module (otherwise known as the end-user UI that powers http://hapi.fhir.org ). This vulnerability affects versions of this module below 3.8.0 (and is resolved in 3.8.0). Affected users are advised to upgrade immediately.
Please see the following link for more details: https://nvd.nist.gov/vuln/detail/CVE-2019-12741
Thanks to Mudit Punia and Dushyant Garg for their help with this issue.
Grahame Grieve (Jun 07 2019 at 12:31):
thanks James.
John Moehrke (Jun 07 2019 at 14:19):
thanks James for being transparent. I suspect MANY tools have XSS bugs, most will silently fix. By bringing this to light you are helping your peers understand that security is hard, but that also security must be taken seriously. Thank you.
Last updated: Apr 12 2022 at 19:14 UTC
