{
  "threat_severity" : "Moderate",
  "public_date" : "2025-01-14T00:00:00Z",
  "bugzilla" : {
    "description" : "org.jboss.hal:hal-console: Wildfly HAL Console Cross-Site Scripting",
    "id" : "2337619",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2337619"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.", "A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”." ],
  "statement" : "Red Hat has evaluated and the attacker must be authenticated as user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. This issue requires previous privilege to jeopardize an environment.",
  "acknowledgement" : "Red Hat would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "org.jboss.hal/hal-console",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Affected",
    "package_name" : "org.jboss.hal/hal-console",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Fix deferred",
    "package_name" : "org.jboss.hal/hal-console",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "org.jboss.hal/hal-console",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23366\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23366" ],
  "name" : "CVE-2025-23366",
  "csaw" : false
}