CVE-2023-49093
published 2023-12-04CVE-2023-49093: HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This…
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.36%
81.6th percentile
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| htmlunit | htmlunit | < 3.9.0 | 3.9.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_redhat9.8CRITICAL
vendor_oracle8.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
osv·2023-12-04
CVE-2023-49093 [CRITICAL] HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
### Summary
HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage
### Details
Vulnerability code location:
org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode)
The reason for the vulnerability is that it was not enabled FEATURE_SECURE_PROCESSING for the XSLT processor
### PoC
pom.xml:
```
org.htmlunit
htmlunit
3.8.0
```
code:
```
WebClient webClient = new WebClient(BrowserVersion.INTERNET_EXPLORER);
HtmlPage page = webClient.getPage("http://127.0.0.1:8080/test.html");
System.out.println(page.asNormalizedText());
```
test.html:
```
var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0");
var xslDoc = new ActiveXOb
GHSA
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
ghsa·2023-12-04
CVE-2023-49093 [CRITICAL] CWE-94 HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
### Summary
HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage
### Details
Vulnerability code location:
org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode)
The reason for the vulnerability is that it was not enabled FEATURE_SECURE_PROCESSING for the XSLT processor
### PoC
pom.xml:
```
org.htmlunit
htmlunit
3.8.0
```
code:
```
WebClient webClient = new WebClient(BrowserVersion.INTERNET_EXPLORER);
HtmlPage page = webClient.getPage("http://127.0.0.1:8080/test.html");
System.out.println(page.asNormalizedText());
```
test.html:
```
var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0");
var xslDoc = new ActiveXOb
OSV
CVE-2023-49093: HtmlUnit is a GUI-less browser for Java programs
osv·2023-12-04·CVSS 8.8
CVE-2023-49093 [HIGH] CVE-2023-49093: HtmlUnit is a GUI-less browser for Java programs
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) — CVE-2023-49093
vendor_oracle·2024-01-15·CVSS 8.8
CVE-2023-49093 [CRITICAL] Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) — CVE-2023-49093
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (NekoHTML) vulnerability
CVE: CVE-2023-49093
CVSS: 8.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Red Hat
htmlunit: Feature for secure processing disabled in the XSLT processor
vendor_redhat·2023-12-04·CVSS 9.8
CVE-2023-49093 [CRITICAL] CWE-94 htmlunit: Feature for secure processing disabled in the XSLT processor
htmlunit: Feature for secure processing disabled in the XSLT processor
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
A flaw was found in HTMLUnit. Fetching external resources may be possible for XSLT processors with the Feature for Secure Processing disabled (FSP), allowing code injection and arbitrary code execution. HTMLUnit is vulnerable to this type of attack by default.
Package: net.sourceforge.htmlunit-htmlunit-jar (Migration Toolkit for Applications 6) - Will not fix
Package: net.sourceforge.htmlunit-htmlunit-jar (Migration Toolkit for Runtimes) - Will not fix
Package: net.sourceforge.htmlunit-htmlunit-jar (Red Hat Build
No detection rules found.
No public exploits indexed.
2023-12-04
Published