Joshua Mandel

**Name of the Vulnerable Software and Affected Versions** HL7 C-CDA versions 1.1 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element. This affects the CDA.xsl component. **Recommendations** For versions 1.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HL7 C-CDA versions 1.1 and earlier **Description** The issue allows remote attackers to discover potentially sensitive URLs via a crafted reference element. This is achieved by triggering the creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log. **Recommendations** For versions 1.1 and earlier, consider restricting the use of the CDA.xsl file until a patch is available. As a temporary workaround, avoid using crafted reference elements that could trigger the creation of an arbitrary IMG element with a malicious URL in its SRC attribute.