Description
A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| unaffected |
|
||||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | affected |
|
||||||
| Red Hat | Red Hat JBoss Data Grid 7 | unknown | — | ||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 | affected | — | ||||||
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | unaffected | — |
No data.
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2025-0099 | A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. |
 Github GHSA |
GHSA-jhvj-f397-8w6q | HAL Console has a Cross Site Scripting (XSS) vulnerability of user input |
References
History
Thu, 30 Apr 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 |
Wed, 01 Apr 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 |
cpe:/a:redhat:jboss_enterprise_application_platform:7 |
Tue, 10 Feb 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | |
| References |
|
Tue, 10 Feb 2026 07:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 |
|
| References |
|
Tue, 14 Oct 2025 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat hal Management Console
|
|
| CPEs | cpe:2.3:a:redhat:hal_management_console:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Redhat hal Management Console
|
Wed, 15 Jan 2025 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jan 2025 02:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Tue, 14 Jan 2025 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. | |
| Title | Org.jboss.hal:hal-console: wildfly hal console cross-site scripting | |
| First Time appeared |
Redhat
Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:/a:redhat:jboss_data_grid:7 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp |
|
| Vendors & Products |
Redhat
Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-04-30T13:29:42.810Z
Reserved: 2025-01-14T15:23:42.645Z
Link: CVE-2025-23366
Vulnrichment
Updated: 2025-01-15T15:00:48.978Z
NVD
Status : Modified
Published: 2025-01-14T18:16:06.290
Modified: 2026-02-10T14:16:09.203
Link: CVE-2025-23366
Redhat
OpenCVE Enrichment
No data.
Weaknesses