CVE-2014-5452

Name of the Vulnerable Software and Affected Versions HL7 C-CDA versions 1.1 and earlier

Description The issue concerns the CDA.xsl component in HL7 C-CDA, which does not properly handle invalid C-CDA documents containing crafted XML attributes. This allows remote attackers to conduct cross-site scripting (XSS) attacks via a document with a table that is improperly handled during unrestricted xsl:copy operations.

Recommendations For HL7 C-CDA versions 1.1 and earlier, consider restricting the handling of XML attributes in CDA.xsl to prevent improper xsl:copy operations. As a temporary workaround, restrict access to documents that may contain crafted XML attributes to minimize the risk of XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.