CVE-2023-49093: 
Java vulnerability analysis and mitigation

HtmlUnit, a GUI-less browser for Java programs, was found to be vulnerable to Remote Code Execution (RCE) via XSLT when browsing an attacker's webpage. The vulnerability, identified as CVE-2023-49093, was discovered in December 2023 and affects versions prior to 3.9.0. The vulnerability has been assigned a critical CVSS score of 9.8 (GitHub Advisory).

The vulnerability stems from the failure to enable FEATURE_SECURE_PROCESSING for the XSLT processor within HtmlUnit. The vulnerability is located in org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode). Without this security feature enabled, the XSLT processor becomes vulnerable to code injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory, Security Online).

The vulnerability allows attackers to execute arbitrary code on the victim's system by tricking them into visiting a malicious webpage. This could lead to complete system compromise, enabling attackers to steal sensitive data, install malware, or disrupt critical operations (Security Online).

The vulnerability has been patched in HtmlUnit version 3.9.0. Users are strongly advised to upgrade to this version or later to address the security risk. Organizations should also consider implementing web application firewalls (WAFs) and network intrusion protection systems (IPS) as additional security measures (Security Online).