CVE-2025-2901 - Vulnerability Details

This vulnerability is redundant to CVE-2025-23366 and CVE-2024-10234.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Jboss Enterprise Application Platform

No data.

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 8.0.8
org.jboss.hal-hal-parent	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10459	2025-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-activemq-artemis-0:2.33.0-3.redhat_00017.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-apache-commons-beanutils-0:1.11.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-apache-cxf-0:4.0.6-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-apache-mime4j-0:0.8.12-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-eap-product-conf-parent-0:800.8.0-1.GA_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-elytron-web-0:4.0.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-fastinfoset-0:2.1.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-hal-console-0:3.6.24-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-hibernate-0:6.2.36-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-httpcomponents-asyncclient-0:4.1.5-4.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-jbossws-cxf-0:7.3.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-narayana-0:6.0.6-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-neethi-0:3.2.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-reactivex-rxjava2-0:2.2.21-3.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-slf4j-0:2.0.17-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-velocity-0:2.3.0-4.redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-wildfly-0:8.0.8-4.GA_redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-wildfly-elytron-0:2.2.11-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-activemq-artemis-0:2.33.0-3.redhat_00017.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-apache-commons-beanutils-0:1.11.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-apache-cxf-0:4.0.6-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-apache-mime4j-0:0.8.12-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-eap-product-conf-parent-0:800.8.0-1.GA_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-elytron-web-0:4.0.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-fastinfoset-0:2.1.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-hal-console-0:3.6.24-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-hibernate-0:6.2.36-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-httpcomponents-asyncclient-0:4.1.5-4.redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-jbossws-cxf-0:7.3.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-narayana-0:6.0.6-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-neethi-0:3.2.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-reactivex-rxjava2-0:2.2.21-3.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-slf4j-0:2.0.17-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-velocity-0:2.3.0-4.redhat_00010.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-wildfly-0:8.0.8-4.GA_redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-wildfly-elytron-0:2.2.11-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8614	This vulnerability is redundant to CVE-2025-23366 and CVE-2024-10234.
Github GHSA	GHSA-f7jh-m6wp-jm7f	HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2025-2901
https://www.cve.org/CVERecord?id=CVE-2025-2901

History

Tue, 08 Jul 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat jboss Enterprise Application Platform
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
Vendors & Products		Redhat Redhat jboss Enterprise Application Platform

Fri, 20 Jun 2025 12:30:00 +0000

Type	Values Removed	Values Added
References	https://access.redhat.com/security/cve/CVE-2025-2901 https://bugzilla.redhat.com/show_bug.cgi?id=2355685

Fri, 20 Jun 2025 12:15:00 +0000

Type	Values Removed	Values Added
Title	Org.jboss.hal-hal-parent: stored cross-site scripting (xss) in jboss eap management console	org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Jun 2025 12:00:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.	This vulnerability is redundant to CVE-2025-23366 and CVE-2024-10234.
CPEs	cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp
Vendors & Products	Redhat Redhat jboss Enterprise Application Platform Redhat jbosseapxp

Fri, 28 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 28 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.
Title	org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console	Org.jboss.hal-hal-parent: stored cross-site scripting (xss) in jboss eap management console
First Time appeared		Redhat Redhat jboss Enterprise Application Platform Redhat jbosseapxp
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp
Vendors & Products		Redhat Redhat jboss Enterprise Application Platform Redhat jbosseapxp
References		https://access.redhat.com/security/cve/CVE-2025-2901 https://bugzilla.redhat.com/show_bug.cgi?id=2355685

Fri, 28 Mar 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console
Weaknesses		CWE-79
References		https://nvd.nist.gov/vuln/detail/CVE-2025-2901 https://www.cve.org/CVERecord?id=CVE-2025-2901
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}` threat_severity `Moderate`

MITRE

Status: REJECTED

Assigner: redhat

Published: 2025-03-28T14:06:58.940Z

Updated: 2025-06-20T11:50:40.917Z

Reserved: 2025-03-28T06:08:55.376Z

Link: CVE-2025-2901

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-03-28T14:15:22.020

Modified: 2025-06-20T12:15:21.010

Link: CVE-2025-2901

Redhat

Severity : Moderate

Publid Date: 2025-03-28T00:00:00Z

Links: CVE-2025-2901 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object