CVE-2024-31573

Severity CVSS v4.0:

Pending analysis

Type:

CWE-669 Incorrect Resource Transfer Between Spheres

Publication date:

17/10/2025

Last modified:

21/10/2025

Description

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.00 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x

4.00

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/advisories/GHSA-chfm-68vv-pvw5
https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b
https://github.com/xmlunit/xmlunit/issues/264
https://github.com/xmlunit/xmlunit/issues/264