Stream: Security and Privacy
Topic: XSS Vulnerability in HAPI FHIR Testpage Overlay
James Agnew (Nov 19 2020 at 02:35):
Hello all - I just wanted to make sure that everyone is aware that a Cross Site Scripting (XSS) security vulnerability was disclosed and fixed in HAPI FHIR 5.1.0. As the testpage module does not generally get deployed in production servers, we consider this vulnerability to have a low potential attack surface, but there may be production users we are not aware of. Any users of this module are advised to upgrade as soon as possible.
This vulnerability has been assigned CVE# 2020-24301 - https://nvd.nist.gov/vuln/detail/CVE-2020-24301
Note that we are launching HAPI FHIR 5.2.0 tomorrow and this vulnerability affects only HAPI FHIR 5.0.0 and below. We were a bit delayed in getting a CVE number to reference. Thanks to @Mark Kramer for his help getting that straightened out.
Last updated: Apr 12 2022 at 19:14 UTC
