CVE-2019-12741

Name of the Vulnerable Software and Affected Versions HAPI FHIR library versions prior to 3.8.0

Description The issue involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information via a specially crafted URL, specifically targeting the ca/uhn/fhir/to/BaseController.java file. The attack surface is expected to be low since the affected module is not generally used in production systems.

Recommendations For versions prior to 3.8.0, upgrade to version 3.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the HAPI FHIR testpage overlay module until the upgrade is applied.