Carlwilson

Name of the Vulnerable Software and Affected Versions: veraPDF (affected versions not specified) Description: The issue is related to the execution of policy checks using custom schematron files via the CLI, which invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This vulnerability is also associated with the incorrect restriction of XML links to external objects in the `mergeEnabledFeaturesFromPolicy()` function. The exploitation of this vulnerability may allow a remote attacker to conduct XXE attacks. Most users are not affected as they do not insert custom XSLT code into policy profiles. Recommendations: For users who insert custom XSLT code into policy profiles, only load custom policy files from sources you trust. As a temporary workaround, consider restricting the use of custom schematron files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** veraPDF-library versions prior to 1.24.2 **Description** The veraPDF-library, a PDF/A validation library, has a remote code execution (RCE) vulnerability when executing policy checks using custom schematron files. This invokes an XSL transformation that could lead to RCE. Most users are not affected as they do not insert custom XSLT code into policy profiles. For users who do, it is recommended to only load custom policy files from trusted sources. **Recommendations** For versions prior to 1.24.2, upgrade to version 1.24.2 to fix the vulnerability. As a temporary workaround, consider only loading custom policy files from sources you trust, to minimize the risk of exploitation.