Bug 2337619 (CVE-2025-23366)
| Summary: | CVE-2025-23366 org.jboss.hal:hal-console: Wildfly HAL Console Cross-Site Scripting | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dereed, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, lgao, mosmerov, msochure, msvehla, muhrahma, nwallace, pesilva, pjindal, pmackay, rrahmat, rstancel, smaestri, tom.jenkinson, vrajput |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-01-14 15:24:21 UTC
https://blockblastpuzzle.org/ medium-priority bug? Seems like it should be higher given how it involves cross-site scripting and authenticated users. It’s a bit too risky to leave it unresolved for long. It’s great that the fix is already being worked on, but I’d love to see faster action on critical vulnerabilities like this. |