Miggo Logo
Miggo Vulnerability Database
CVE-2025-25247

CVE-2025-25247:
Apache Felix Webconsole: XSS in services console

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-25247
GHSA ID
GHSA-4c37-7m5h-c8m9
EPSS Score
0.02634%
CWE
CWE-79
Published
2/10/2025
Updated
2/10/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.felix:org.apache.felix.webconsolemaven>= 4.0.0, < 4.9.104.9.10
org.apache.felix:org.apache.felix.webconsolemaven>= 5.0.0, < 5.0.105.0.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from line 469 in ServicesServlet.java where user-controlled 'filter' input was encoded for HTML content but placed in a JavaScript context. The patch changed the encoding method to Encode.forJavaScript, indicating the original HTML encoding was insufficient for the JavaScript execution context. The renderContent() method handles HTTP response generation, making it the logical location for output encoding vulnerabilities. The direct correlation between the vulnerability description, CWE-79 classification, and the specific encoding fix in the commit confirms this function's role in the XSS vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*') vuln*r**ility in *p**** **lix W***onsol*. T*is issu* *****ts *p**** **lix W***onsol* *.x up to *.*.* *n* *.x up to *.*.*. Us*rs *r* r**omm*n*** to up*r*** to v*rsi

Reasoning

T** vuln*r**ility st*ms *rom lin* *** in `S*rvi**sS*rvl*t.j*v*` w**r* us*r-*ontroll** '*ilt*r' input w*s *n*o*** *or *TML *ont*nt *ut pl**** in * J*v*S*ript *ont*xt. T** p*t** ***n*** t** *n*o*in* m*t*o* to `*n*o**.*orJ*v*S*ript`, in*i**tin* t** ori*