CVE-2023-26119
published 2023-04-03CVE-2023-26119: Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.51%
82.8th percentile
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| htmlunit | htmlunit | < 3.0.0 | 3.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Oracle Fusion Middleware (Centralized Thirdparty Jars / NekoHTML component) is affected; prioritize detection on HTTP traffic targeting Fusion Middleware endpoints that may invoke HtmlUnit/NekoHTML parsing ↗
- →The vulnerability is remotely exploitable over HTTP with a CVSS score of 9.8; treat any unauthenticated HTTP request triggering XSLT transformation in HtmlUnit-based applications as high-severity ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
HtmlUnit Code Injection vulnerability
ghsa·2023-07-06
CVE-2023-26119 [CRITICAL] CWE-74 HtmlUnit Code Injection vulnerability
HtmlUnit Code Injection vulnerability
Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
OSV
HtmlUnit Code Injection vulnerability
osv·2023-07-06
CVE-2023-26119 [CRITICAL] HtmlUnit Code Injection vulnerability
HtmlUnit Code Injection vulnerability
Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) — CVE-2023-26119
vendor_oracle·2023-07-15·CVSS 9.8
CVE-2023-26119 [CRITICAL] Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) — CVE-2023-26119
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) vulnerability
CVE: CVE-2023-26119
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
No detection rules found.
No public exploits indexed.
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followe
https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956bhttps://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500https://siebene.github.io/2022/12/30/HtmlUnit-RCE/https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956bhttps://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500https://siebene.github.io/2022/12/30/HtmlUnit-RCE/
2023-04-03
Published