A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00081.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
unaffected
Version Status Constraints
0 affected < 3.7.7.Final
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:2.16.0-21.redhat_00055.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:3.5.10-1.redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
1:1.0.2-5.redhat_00004.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:1.9.6-1.Final_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:2.3.14-9.SP10_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:3.3.27-1.Final_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:6.0.23-3.SP2_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:1.5.21-1.Final_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:1.10.0-42.Final_redhat_00042.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:5.4.15-1.Final_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:7.4.23-3.GA_redhat_00002.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 affected
Version Status Constraints
0:1.15.26-1.Final_redhat_00001.1.el8eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:2.16.0-21.redhat_00055.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:3.5.10-1.redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
1:1.0.2-5.redhat_00004.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:1.9.6-1.Final_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:2.3.14-9.SP10_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:3.3.27-1.Final_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:6.0.23-3.SP2_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:1.5.21-1.Final_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:1.10.0-42.Final_redhat_00042.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:5.4.15-1.Final_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:7.4.23-3.GA_redhat_00002.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 affected
Version Status Constraints
0:1.15.26-1.Final_redhat_00001.1.el9eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:2.16.0-21.redhat_00055.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:3.5.10-1.redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
1:1.0.2-5.redhat_00004.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:1.9.6-1.Final_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:2.3.14-9.SP10_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:3.3.27-1.Final_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:6.0.23-3.SP2_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:1.5.21-1.Final_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:1.10.0-42.Final_redhat_00042.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:5.4.15-1.Final_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:7.4.23-3.GA_redhat_00002.1.el7eap unaffected < *
Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 affected
Version Status Constraints
0:1.15.26-1.Final_redhat_00001.1.el7eap unaffected < *
Red Hat Red Hat JBoss Data Grid 7 unknown
Red Hat Red Hat JBoss Enterprise Application Platform 8 affected
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack unaffected

Configuration 1 [-]

cpe:2.3:a:redhat:hal_management_console:*:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors Products
Redhat Subscribe
Hal Management Console Subscribe
Jboss Data Grid Subscribe
Jboss Enterprise Application Platform Subscribe
Jbosseapxp Subscribe
Advisories
Source ID Title
EUVD EUVD EUVD-2025-0099 A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.
Github GHSA Github GHSA GHSA-jhvj-f397-8w6q HAL Console has a Cross Site Scripting (XSS) vulnerability of user input
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://access.redhat.com/errata/RHSA-2025:10924 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:10925 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:10926 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-23366 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2337619 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-23366 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-23366 cve-icon
History

Tue, 10 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
References

Tue, 10 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
References

Tue, 14 Oct 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hal Management Console
CPEs cpe:2.3:a:redhat:hal_management_console:*:*:*:*:*:*:*:*
Vendors & Products Redhat hal Management Console

Wed, 15 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 14 Jan 2025 17:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.
Title Org.jboss.hal:hal-console: wildfly hal console cross-site scripting
First Time appeared Redhat
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Weaknesses CWE-79
CPEs cpe:/a:redhat:jboss_data_grid:7
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-10T13:17:26.317Z

Reserved: 2025-01-14T15:23:42.645Z

Link: CVE-2025-23366

cve-icon Vulnrichment

Updated: 2025-01-15T15:00:48.978Z

cve-icon NVD

Status : Modified

Published: 2025-01-14T18:16:06.290

Modified: 2026-02-10T14:16:09.203

Link: CVE-2025-23366

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-14T00:00:00Z

Links: CVE-2025-23366 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses