Primary

Context

HL7 FHIR IG Publisher XML External Entity Injection Vulnerability

Vulnerability

Patched

A vulnerability allowing XML external entity (XXE) injection has been identified in the HL7 FHIR IG Publisher tool, in versions prior to 1.7.4. This issue arises from XSLT transformations that can be manipulated with a malicious XML file containing a harmful DTD tag. The exploitation of this vulnerability could lead to the disclosure of data from the host system. This issue is particularly concerning in scenarios where the FHIR IG Publisher is used in an environment that accepts XML submissions from external clients.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data from the host system, through XML external entity injection.

Remediation

Users can upgrade to HL7 FHIR IG Publisher version 1.7.4 or later to address this vulnerability. The updated version is available on the official HL7 FHIR IG Publisher GitHub repository.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

0.8

exploitability

5.3

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

0.8

exploitability

5.3

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HL7 FHIR IG Publisher XML External Entity Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

org.hl7.fhir.publisher

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating