CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23366: Org.jboss.hal:hal-console: wildfly hal console cross-site scripting

Description

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

Classification

CVE ID: CVE-2025-23366

Affected Products

Vendor: Red Hat

Product: Red Hat JBoss Data Grid 7

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 21.98% (scored less or equal to compared to others)

EPSS Date: 2025-02-12 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2025-23366
https://bugzilla.redhat.com/show_bug.cgi?id=2337619

Timeline

2025-01-15 00:30:53 UTC
CVE

Org.jboss.hal:hal-console: wildfly hal console cross-site scripting
2025-01-16 20:15:16 UTC
Github Advisory Database (Maven)

[org.jboss.hal:hal-console] HAL Console has a Cross Site Scripting (XSS) vulnerability of user input