Description

It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.

Remediation

References

CVE-2017-7465

Related Vulnerabilities

WordPress Plugin Preview E-mails for WooCommerce Cross-Site Scripting (1.6.8)

MySQL CVE-2014-4287 Vulnerability (CVE-2014-4287)

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2021-40317)

WordPress Plugin Lim4wp 'upload.php' Arbitrary File Upload (1.1.1)

WordPress Plugin YITH WooCommerce Frequently Bought Together Security Bypass (1.2.10)

Severity

Critical

Classification

CVE-2017-7465 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities