CVE-2014-3862

Name of the Vulnerable Software and Affected Versions HL7 C-CDA versions 1.1 and earlier

Description The issue allows remote attackers to discover potentially sensitive URLs via a crafted reference element. This is achieved by triggering the creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

Recommendations For versions 1.1 and earlier, consider restricting the use of the CDA.xsl file until a patch is available. As a temporary workaround, avoid using crafted reference elements that could trigger the creation of an arbitrary IMG element with a malicious URL in its SRC attribute.