4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-2901

GHSA ID

GHSA-f7jh-m6wp-jm7f

EPSS Score

CWE

CWE-79

Published

5/6/2025

Updated

5/6/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-2901

CVE-2025-2901: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.

Impact

Cross-site scripting (XSS) vulnerability in the management console.

Patches

Fixed in HAL 3.7.11.Final

Workarounds

No workaround available

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-2901

CVE-2025-2901:

4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-2901

GHSA ID

GHSA-f7jh-m6wp-jm7f

EPSS Score

CWE

CWE-79

Published

5/6/2025

Updated

5/6/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jboss.hal:hal-console	maven	< 3.7.11.Final	3.7.11.Final

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored XSS caused by improper sanitization of user-supplied server URLs before storage, and lack of adequate sanitization when rendering these stored URLs. The analysis of the patch commit 216de3b8aa82ea92df10cc296d88c68467cf2c52 reveals several key changes:

Input Hardening: The ServerActions.editUrl method, which previously accepted a free-form string for the server URL, was changed to use a structured form (scheme, host, port). This restricts the user's ability to inject malicious script into the URL components during input.
Data Storage and Retrieval: The ServerUrl class was refactored to handle these structured components and its getUrl() method now primarily constructs the URL from these parts, returning a raw String instead of SafeHtml.
Sanitization at Rendering:
- In ServerActions, when displaying the server URL, explicit sanitization (SafeHtmlUtils.fromString()) was added before injecting the URL into HTML. This is a direct fix for an XSS rendering point.
- In DeploymentPreview, the server URL (now a raw string) is used directly in an href attribute. This remains a potential execution point if a malicious URL could still be formed and stored, despite input hardening.
- In RestResourcePreview, the server URL (raw string) is passed to another method, specifyParameters. This is another point where the malicious stored data is processed.

The identified vulnerable functions are either responsible for the initial flawed input (ServerActions.editUrl in its vulnerable state), or are points where the stored malicious URL is rendered or processed, leading to XSS execution (the onSuccess methods in ServerActions, DeploymentPreview, and RestResourcePreview). The commit addresses the vulnerability by modifying these input and rendering pathways.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-2901: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

Impact

Patches

Workarounds

CVE-2025-2901:

4.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-2901: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

Impact

Patches

Workarounds

4.6

4.6

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI