SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500

SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500 PUBLISHED CVSS 9.800000190734863 CRITICAL

## Overview [net.sourceforge.htmlunit:htmlunit](http://htmlunit.sourceforge.net) is a GUI-Less browser for Java programs Affected versions of this package are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. **Note:** Users are advised to upgrade to [`org.htmlunit:htmlunit`](https://mvnrepository.com/artifact/org.htmlunit/htmlunit) component `v3.0.0` as it contains a fix for this issue. ## Remediation A fix was pushed into the `master` branch but not yet published. ## References - [GitHub Commit](https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b) - [PoC](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/)

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P

Affected Products

Vendor	Product	Versions

Timeline

Jan 29, 2023 CVE Updated
Apr 2, 2023 CVE Published

References

Open in Interactive Console →