CVE-2025-2901
HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store
Description
A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.11.Final](https://github.com/hal/console/releases/tag/v3.7.11) ### Workarounds No workaround available
How to fix CVE-2025-2901
To remediate CVE-2025-2901, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.11.Final or later
Is CVE-2025-2901 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-2901.
Affected packages (1)
- from 0, < 3.7.11.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |