Vendor
HAPI FHIR Core is vulnerable to authentication credential leakage due to improper URL prefix matching on HTTP redirects, allowing attackers to intercept credentials by hosting a domain that is a prefix of a configured FHIR server URL.