XML Handling Flaw in HL7 C-CDA by Health Level Seven International
CVE-2014-5452

Currently unrated

Key Information:

Vendor: Hl7
Status: C-cda
Vendor: CVE Published:; 2 September 2014

What is CVE-2014-5452?

The CDA.xsl file in HL7 C-CDA 1.1 and earlier fails to validate C-CDA documents correctly, allowing remote attackers to exploit crafted XML attributes. This vulnerability opens the door to Cross-Site Scripting (XSS) attacks, where malicious documents containing tables could be improperly processed during unrestricted xsl:copy operations. Such an oversight in input validation poses a significant risk in environments dependent on accurate healthcare data representation and exchange, making it crucial for organizations to implement adequate security measures.

References

http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesh...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/69633

vdb-entryx_refsource_BID

http://gforge.hl7.org/gf/project/strucdoc/frs/?action=Frs...

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 2, 2014
Vulnerability Reserved
Aug 25, 2014

Hl7

What is CVE-2014-5452?

References

Timeline