Qligier

**Name of the Vulnerable Software and Affected Versions** HL7 FHIR Core Artifacts repository versions prior to 6.3.23 **Description** The issue concerns XML external entity injections in XSLT transforms performed by various components. A processed XML file with a malicious DTD tag could produce XML containing data from the host system, impacting use cases where external clients can submit XML. This affects scenarios where the repository is used within a host that allows external client XML submissions. **Recommendations** For versions prior to 6.3.23, update to release 6.3.23 to resolve the issue. As a temporary workaround, consider restricting the submission of XML files from external clients until the update is applied. Avoid using the `<!DOCTYPE>` tag with external entities in XML files until the issue is resolved. At the moment, there are no other known workarounds available.