Moderate severityNVD Advisory· Published Jun 5, 2019· Updated Aug 4, 2024
CVE-2019-12741
CVE-2019-12741
Description
XSS in HAPI FHIR testpage overlay due to unsanitized HTTP parameters; patched in 3.8.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS in HAPI FHIR testpage overlay due to unsanitized HTTP parameters; patched in 3.8.0.
Vulnerability
CVE-2019-12741 is a cross-site scripting (XSS) vulnerability in the testpage overlay module of the HAPI FHIR library before version 3.8.0. The flaw exists in BaseController.java where HTTP parameters such as serverId, base, and resourceName are directly placed into a Thymeleaf model without sanitization, leading to reflected XSS [1].
Exploitation
An attacker can exploit this by crafting a URL that injects malicious script into the form page. The attack requires no authentication and can be delivered via social engineering. However, the testpage overlay module is not commonly enabled in production environments, which reduces the overall attack surface [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leaking cookies, session tokens, or other sensitive information [1].
Mitigation
The vulnerability was fixed by introducing input sanitization in commit 8f41159, which wraps parameters with a sanitizeInput() method [2]. Users are advised to upgrade to HAPI FHIR 3.8.0 or later. If upgrading is not immediately possible, disabling the testpage overlay module can serve as a temporary workaround [1].
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ca.uhn.hapi.fhir:hapi-fhir-baseMaven | < 3.8.0 | 3.8.0 |
Affected products
2- HAPI FHIR library/HAPI FHIR librarydescription
Patches
256 files changed · +59 −59
example-projects/hapi-fhir-base-example-embedded-ws/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent>
example-projects/hapi-fhir-jpaserver-cds-example/pom.xml+1 −1 modified@@ -10,7 +10,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent>
example-projects/hapi-fhir-jpaserver-dynamic/pom.xml+1 −1 modified@@ -10,7 +10,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent>
example-projects/hapi-fhir-jpaserver-example-postgres/pom.xml+1 −1 modified@@ -10,7 +10,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent>
example-projects/hapi-fhir-standalone-overlay-example/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent> <artifactId>hapi-fhir-standalone-overlay-example</artifactId>
examples/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-deployable-pom/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-android/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-base/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-client-okhttp/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-client/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-cli/hapi-fhir-cli-api/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-cli/hapi-fhir-cli-app/pom.xml+1 −1 modified@@ -6,7 +6,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-cli</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-cli/hapi-fhir-cli-jpaserver/pom.xml+1 −1 modified@@ -6,7 +6,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-cli</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-cli/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-converter/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-dist/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-igpacks/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <artifactId>hapi-deployable-pom</artifactId> <groupId>ca.uhn.hapi.fhir</groupId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent> <modelVersion>4.0.0</modelVersion>
hapi-fhir-jacoco/pom.xml+1 −1 modified@@ -11,7 +11,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jaxrsserver-base/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jaxrsserver-example/pom.xml+1 −1 modified@@ -6,7 +6,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-base/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-elasticsearch/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-migrate/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-model/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-searchparam/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-subscription/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-jpaserver-uhnfhirtest/pom.xml+2 −2 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent> @@ -158,7 +158,7 @@ <dependency> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-converter</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </dependency> </dependencies>
hapi-fhir-server/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/IServerInterceptor.java+2 −2 modified@@ -9,9 +9,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
hapi-fhir-spring-boot/hapi-fhir-spring-boot-autoconfigure/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-apache/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-spring-boot-samples</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </parent> <artifactId>hapi-fhir-spring-boot-sample-client-apache</artifactId>
hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-okhttp/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-spring-boot-samples</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </parent> <artifactId>hapi-fhir-spring-boot-sample-client-okhttp</artifactId>
hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-server-jersey/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-spring-boot-samples</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </parent> <artifactId>hapi-fhir-spring-boot-sample-server-jersey</artifactId>
hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-server-jpa/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-spring-boot-samples</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </parent> <artifactId>hapi-fhir-spring-boot-sample-server-jpa</artifactId>
hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-spring-boot</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </parent> <artifactId>hapi-fhir-spring-boot-samples</artifactId>
hapi-fhir-spring-boot/hapi-fhir-spring-boot-starter/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-spring-boot/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-structures-dstu2.1/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-structures-dstu2/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-structures-dstu3/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-structures-hl7org-dstu2/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-structures-r4/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-testpage-overlay/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
hapi-fhir-utilities/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-validation/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-validation-resources-dstu2.1/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-validation-resources-dstu2/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-validation-resources-dstu3/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-fhir-validation-resources-r4/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-deployable-pom</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../hapi-deployable-pom/pom.xml</relativePath> </parent>
hapi-tinder-plugin/pom.xml+2 −2 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent> @@ -73,7 +73,7 @@ <dependency> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir-structures-r4</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> </dependency> <dependency> <groupId>ca.uhn.hapi.fhir</groupId>
hapi-tinder-test/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
pom.xml+1 −1 modified@@ -6,7 +6,7 @@ <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> <packaging>pom</packaging> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <name>HAPI-FHIR</name> <description>An open-source implementation of the FHIR specification in Java.</description> <url>https://hapifhir.io</url>
restful-server-example/pom.xml+1 −1 modified@@ -8,7 +8,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../pom.xml</relativePath> </parent>
tests/hapi-fhir-base-test-mindeps-client/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent>
tests/hapi-fhir-base-test-mindeps-server/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>hapi-fhir</artifactId> - <version>3.8.0-SNAPSHOT</version> + <version>3.8.0</version> <relativePath>../../pom.xml</relativePath> </parent>
8f41159eb147Fix a potential security vulneability in the testpage overlay
2 files changed · +30 −10
hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java+25 −10 modified@@ -32,7 +32,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.ui.ModelMap; import org.thymeleaf.ITemplateEngine; -import org.thymeleaf.TemplateEngine; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -63,14 +62,14 @@ protected IBaseResource addCommonParams(HttpServletRequest theServletRequest, fi final String serverBase = theRequest.getServerBase(theServletRequest, myConfig); final String serverName = theRequest.getServerName(myConfig); final String apiKey = theRequest.getApiKey(theServletRequest, myConfig); - theModel.put("serverId", serverId); - theModel.put("base", serverBase); - theModel.put("baseName", serverName); - theModel.put("apiKey", apiKey); - theModel.put("resourceName", defaultString(theRequest.getResource())); - theModel.put("encoding", theRequest.getEncoding()); - theModel.put("pretty", theRequest.getPretty()); - theModel.put("_summary", theRequest.get_summary()); + theModel.put("serverId", sanitizeInput(serverId)); + theModel.put("base", sanitizeInput(serverBase)); + theModel.put("baseName", sanitizeInput(serverName)); + theModel.put("apiKey", sanitizeInput(apiKey)); + theModel.put("resourceName", sanitizeInput(defaultString(theRequest.getResource()))); + theModel.put("encoding", sanitizeInput(theRequest.getEncoding())); + theModel.put("pretty", sanitizeInput(theRequest.getPretty())); + theModel.put("_summary", sanitizeInput(theRequest.get_summary())); theModel.put("serverEntries", myConfig.getIdToServerName()); return loadAndAddConf(theServletRequest, theRequest, theModel); @@ -307,7 +306,6 @@ private IBaseResource loadAndAddConf(HttpServletRequest theServletRequest, final throw new IllegalStateException("Unknown version: " + theRequest.getFhirVersion(myConfig)); } - private IResource loadAndAddConfDstu2(HttpServletRequest theServletRequest, final HomeRequest theRequest, final ModelMap theModel) { CaptureInterceptor interceptor = new CaptureInterceptor(); GenericClient client = theRequest.newClient(theServletRequest, getContext(theRequest), myConfig, interceptor); @@ -746,4 +744,21 @@ public void interceptResponse(IHttpResponse theResponse) throws IOException { } + private static String sanitizeInput(String theString) { + String retVal = theString; + if (retVal != null) { + for (int i = 0; i < retVal.length(); i++) { + char nextChar = retVal.charAt(i); + switch (nextChar) { + case '\'': + case '"': + case '<': + case '>': + retVal = retVal.replace(nextChar, '_'); + } + } + } + return retVal; + } + }
src/changes/changes.xml+5 −0 modified@@ -7,6 +7,11 @@ </properties> <body> <release version="3.8.0" date="TBD" description="Hippo"> + <action type="fix"> + A potential security vulnerability in the hapi-fhir-testpage-overlay project was corrected: A URL + parameter was not being correctly escaped, leading to a potential XSS vulnerabnility. A big thanks to + Mudit Punia and Dushyant Garg for reporting this. + </action> <action type="add"> The version of a few dependencies have been bumped to the latest versions (dependent HAPI modules listed in brackets):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-52mh-p2m2-w625ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12741ghsaADVISORY
- github.com/jamesagnew/hapi-fhir/commit/8f41159eb147eeb964cad68b28eff97acac6ea9aghsax_refsource_MISCWEB
- github.com/jamesagnew/hapi-fhir/issues/1335ghsax_refsource_MISCWEB
- github.com/jamesagnew/hapi-fhir/releases/tag/v3.8.0ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.