CVE-2023-49093 — Code Injection in Htmlunit

CWE-94 — Code Injection7 documents6 sources

Severity

8.8HIGHNVD

CNA9.8

EPSS

5.1%

top 10.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Htmlunit

Timeline

PublishedDec 4

Latest updateJan 15

Description

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5htmlunit/htmlunit< 3.9.0

▶NVDhtmlunit/htmlunit< 3.9.0

🔴Vulnerability Details

CVEList

HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL↗2023-12-04

▶

OSV

HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL↗2023-12-04

▶

GHSA

HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL↗2023-12-04

▶

OSV

CVE-2023-49093: HtmlUnit is a GUI-less browser for Java programs↗2023-12-04

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) — CVE-2023-49093↗2024-01-15

▶

Red Hat

htmlunit: Feature for secure processing disabled in the XSLT processor↗2023-12-04

▶