CVE-2024-28109: Potential XSLT injection vulnerability when using policy files

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-28109

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Potential XSLT injection vulnerability when using policy files

Source: NVD (National Vulnerability Database)

Vulnerability Description

veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

XML注入(XPath盲注)

Source: NVD (National Vulnerability Database)

Vulnerability Title

veraPDF-library 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

veraPDF-library是veraPDF开源的一个开源 PDF/A 验证库。 veraPDF-library 存在安全漏洞。攻击者利用该漏洞可以远程执行代码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
veraPDF	veraPDF-library	< 1.24.2	-

II. Public POCs for CVE-2024-28109

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-28109

Please Login to view more intelligence information

https://github.com/veraPDF/veraPDF-library/issues/1415x_refsource_MISC
https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jwx_refsource_CONFIRM
https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9fx_refsource_MISC
https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfex_refsource_MISC
https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fbx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-28109

IV. Related Vulnerabilities

Same product: veraPDF-library

CVE-2024-52800
Potential XXE (XML External Entity Injection) vulnerability

Same vendor: veraPDF

CVE-2024-52800
Potential XXE (XML External Entity Injection) vulnerability

Same weakness: CWE-91

V. Comments for CVE-2024-28109

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-28109

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-28109

III. Intelligence Information for CVE-2024-28109

IV. Related Vulnerabilities

V. Comments for CVE-2024-28109

Leave a comment