{"id":"CVE-2019-12741","details":"XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)","aliases":["GHSA-52mh-p2m2-w625"],"modified":"2026-02-13T01:39:38.967219Z","published":"2019-06-05T15:29:01.873Z","references":[{"type":"ADVISORY","url":"https://github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9a"},{"type":"ADVISORY","url":"https://github.com/jamesagnew/hapi-fhir/issues/1335"},{"type":"ADVISORY","url":"https://github.com/jamesagnew/hapi-fhir/releases/tag/v3.8.0"},{"type":"FIX","url":"https://github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9a"},{"type":"FIX","url":"https://github.com/jamesagnew/hapi-fhir/issues/1335"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jamesagnew/hapi-fhir","events":[{"introduced":"0"},{"fixed":"8f41159eb147eeb964cad68b28eff97acac6ea9a"}]}],"database_specific":{"vanir_signatures":[{"target":{"file":"hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java"},"digest":{"line_hashes":["322394646498748269869226448963532292247","297223349063439588668128140357273445862","312204412830696150128672996707971173230","314334532338452688053529858770175905776","324534276017699301977482741958841197816","334030326527818991524887231118380979379","220149531720126509925678213887013115608","192017219783609408020722629308401284727","40229981143918095712823181645196261844","238827581832589460966471150852714985452","195741536995231971118927749398729015169","247830420808296325277770412206244366966","262708264908355614453407038386470314082","107684021343401438874661953476307547660","35021954230165303612751477354859184552","144978774783867778970156060699643999719","152540356137832457088280615946424058829","294874016313440058176341677597984842672","219339966706692805641631538870918384977"],"threshold":0.9},"id":"CVE-2019-12741-3ddf3ba6","signature_version":"v1","signature_type":"Line","source":"https://github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9a","deprecated":false},{"target":{"file":"hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java","function":"addCommonParams"},"digest":{"function_hash":"13979340989605696099391175575559691536","length":796},"id":"CVE-2019-12741-ac1cb6a3","signature_version":"v1","signature_type":"Function","source":"https://github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9a","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12741.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}