CVE-2019-12741

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-12741
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12741.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-12741
Aliases
Published
2019-06-05T15:29:01Z
Modified
2025-10-15T10:13:41.074595Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

References

Affected packages

Git / github.com/hapifhir/hapi-fhir

Affected ranges

Type
GIT
Repo
https://github.com/hapifhir/hapi-fhir
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
73aa53be8fe5496e81d4a88a0bca25dfb078138b
Type
GIT
Repo
https://github.com/jamesagnew/hapi-fhir
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8f41159eb147eeb964cad68b28eff97acac6ea9a

Affected versions

v0.*

v0.4
v0.5
v0.6
v0.7
v0.8
v0.9

v1.*

v1.0
v1.1
v1.2
v1.3
v1.4
v1.5
v1.6

v2.*

v2.0
v2.1
v2.2
v2.3
v2.4
v2.5

v3.*

v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.7.0

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9a",
        "signature_version": "v1",
        "target": {
            "file": "hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "322394646498748269869226448963532292247",
                "297223349063439588668128140357273445862",
                "312204412830696150128672996707971173230",
                "314334532338452688053529858770175905776",
                "324534276017699301977482741958841197816",
                "334030326527818991524887231118380979379",
                "220149531720126509925678213887013115608",
                "192017219783609408020722629308401284727",
                "40229981143918095712823181645196261844",
                "238827581832589460966471150852714985452",
                "195741536995231971118927749398729015169",
                "247830420808296325277770412206244366966",
                "262708264908355614453407038386470314082",
                "107684021343401438874661953476307547660",
                "35021954230165303612751477354859184552",
                "144978774783867778970156060699643999719",
                "152540356137832457088280615946424058829",
                "294874016313440058176341677597984842672",
                "219339966706692805641631538870918384977"
            ]
        },
        "id": "CVE-2019-12741-3ddf3ba6"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9a",
        "signature_version": "v1",
        "target": {
            "function": "addCommonParams",
            "file": "hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java"
        },
        "digest": {
            "function_hash": "13979340989605696099391175575559691536",
            "length": 796.0
        },
        "id": "CVE-2019-12741-ac1cb6a3"
    }
]