XXE - XML External Entity Injection. The XXE vulnerability found within mulitple artifacts or modules with https://github.com/hapifhir/org.hl7.fhir.core/ repository can be further exploited to do SSRF, leak information and etc.
org.hl7.fhir.convertors < 6.4.0
org.hl7.fhir.dstu2 < 6.4.0
org.hl7.fhir.dstu2016may < 6.4.0
org.hl7.fhir.dstu3 < 6.4.0
org.hl7.fhir.r4 < 6.4.0
org.hl7.fhir.r4b < 6.4.0
org.hl7.fhir.r5 < 6.4.0
org.hl7.fhir.utilities < 6.4.0
org.hl7.fhir.validation < 6.4.0
Found one of vulnerable places with my code analysis tool on probably 10/19/2024. However later I found there had been multiple commits by maintainers to fix the vulnerability and showed there were even more of them with the same issue than I thought.