CVE-2014-3862 - Vulnerability Details - OpenCVE

CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hl7	C-cda

Configuration 1 [-]

cpe:2.3:a:hl7:c-cda:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088
http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html
http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-09-02T10:00:00

Updated: 2024-08-06T10:57:17.866Z

Reserved: 2014-05-25T00:00:00

Link: CVE-2014-3862

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-09-02T10:55:04.573

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-3862

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-15T00:00:00", "descriptions": [{"lang": "en", "value": "CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-09-02T03:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088"}, {"tags": ["x_refsource_MISC"], "url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-3862", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html", "refsource": "CONFIRM", "url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"}, {"name": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088", "refsource": "CONFIRM", "url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088"}, {"name": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/", "refsource": "MISC", "url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:57:17.866Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-3862", "datePublished": "2014-09-02T10:00:00", "dateReserved": "2014-05-25T00:00:00", "dateUpdated": "2024-08-06T10:57:17.866Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hl7:c-cda:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CFF71B1-DB79-47BA-92A1-FCA69B92F172", "versionEndIncluding": "1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log."}, {"lang": "es", "value": "CDA.xsl en HL7 C-CDA 1.1 y anteriores permite a atacantes remotos descubrir URLs potencialmente sensibles a trav\u00e9s de un elemento de referencia manipulado que provoca la creaci\u00f3n de un elemento IMG con una URL arbitraria en su atributo SRC, que conduce a la revelaci\u00f3n de informaci\u00f3n en un registro Referer."}], "id": "CVE-2014-3862", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-09-02T10:55:04.573", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://gforge.hl7.org/gf/project/strucdoc/frs/?action=FrsReleaseView&release_id=1088"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://motorcycleguy.blogspot.com/2014/04/hl7-cda-stylesheet-patches.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://smartplatforms.org/2014/04/security-vulnerabilities-in-ccda-display/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}