CVE-2023-49093

Name of the Vulnerable Software and Affected Versions HtmlUnit versions prior to 3.9.0

Description HtmlUnit is a GUI-less browser for Java programs that is vulnerable to Remote Code Execution (RCE) via XSTL when browsing an attacker's webpage. The reason for the vulnerability is that the FEATURE SECURE PROCESSING was not enabled for the XSLT processor. This issue can be exploited by an attacker to execute arbitrary code. The vulnerability is located in the org.htmlunit.activex.javascript.msxml.XSLProcessor#transform function.

Recommendations For versions prior to 3.9.0, update to version 3.9.0 to fix the vulnerability. As a temporary workaround, consider disabling the XSLT processor or restricting access to it until a patch is available. Avoid using the XSLT processor to parse untrusted input.