CVE-2024-52800

Name of the Vulnerable Software and Affected Versions: veraPDF (affected versions not specified)

Description: The issue is related to the execution of policy checks using custom schematron files via the CLI, which invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This vulnerability is also associated with the incorrect restriction of XML links to external objects in the mergeEnabledFeaturesFromPolicy() function. The exploitation of this vulnerability may allow a remote attacker to conduct XXE attacks. Most users are not affected as they do not insert custom XSLT code into policy profiles.

Recommendations: For users who insert custom XSLT code into policy profiles, only load custom policy files from sources you trust. As a temporary workaround, consider restricting the use of custom schematron files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.