Vulnerability Details : CVE-2023-26119
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Vulnerability category: Execute code
Products affected by CVE-2023-26119
- cpe:2.3:a:htmlunit:htmlunit:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26119
2.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26119
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Snyk |
CWE ids for CVE-2023-26119
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: report@snyk.io (Secondary)
References for CVE-2023-26119
-
https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
enable FEATURE_SECURE_PROCESSING for the XSLT processor · HtmlUnit/htmlunit@641325b · GitHubPatch
-
https://siebene.github.io/2022/12/30/HtmlUnit-RCE/
HtmlUnit-RCE | Siebene@ BlogExploit;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
Remote Code Execution (RCE) in net.sourceforge.htmlunit:htmlunit | CVE-2023-26119 | SnykThird Party Advisory
Jump to