CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-52800 – Potential XXE (XML External Entity Injection) vulnerability in veraPDF CLI
https://notcve.org/view.php?id=CVE-2024-52800
29 Nov 2024 — veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom p... • https://github.com/JAckLosingHeart/GHSA-4cx5-89vm-833x-POC • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28109 – Potential XSLT injection vulnerability when using policy files
https://notcve.org/view.php?id=CVE-2024-28109
28 Mar 2024 — veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2. veraPDF-library es una librería de validación de PDF/A. La ejecución de comprobaciones de políticas utilizando archivos de esquema personalizados invoca una transformación XSL que podría provocar una vulnerabilidad de ejecución remota de código (RCE). Esta vulnerabilidad se sol... • https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb • CWE-91: XML Injection (aka Blind XPath Injection) •