VulnerableCode Package Details - pkg:maven/org.jboss.hal/hal-console@3.6.0.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-5du4-1bus-huhv Aliases: GHSA-5wjw-h8x5-v65m	Duplicate Advisory: Wildfly HAL Console Cross-Site Scripting # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jhvj-f397-8w6q. This link is maintained to preserve external references. # Original Description A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.	3.7.8.Final Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8ew2-s4a9-u7cu Aliases: CVE-2025-2901 GHSA-f7jh-m6wp-jm7f	HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.11.Final](https://github.com/hal/console/releases/tag/v3.7.11) ### Workarounds No workaround available	3.7.11.Final Affected by 0 other vulnerabilities.
VCID-gkqy-w15q-jud2 Aliases: CVE-2025-23366 GHSA-jhvj-f397-8w6q	HAL Console has a Cross Site Scripting (XSS) vulnerability of user input A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References - https://access.redhat.com/security/cve/CVE-2025-23366 - https://bugzilla.redhat.com/show_bug.cgi?id=2337619	3.7.7.Final Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-w155-te58-v3fy Aliases: GHSA-64gp-r758-8pfm	Cross Site Scripting (XSS) vulnerability while uploading content to a new deployment A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFLY-19969	3.7.7.Final Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zufu-x8dx-xygs Aliases: GHSA-hp88-hfjw-2hg4	Duplicate Advisory: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7jh-m6wp-jm7f. This link is maintained to preserve external references. # Original Description A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.	3.7.11.Final Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5du4-1bus-huhv
Aliases:
GHSA-5wjw-h8x5-v65m

Duplicate Advisory: Wildfly HAL Console Cross-Site Scripting # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jhvj-f397-8w6q. This link is maintained to preserve external references. # Original Description A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

3.7.8.Final
Affected by 2 other vulnerabilities.

VCID-8ew2-s4a9-u7cu
Aliases:
CVE-2025-2901
GHSA-f7jh-m6wp-jm7f

HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.11.Final](https://github.com/hal/console/releases/tag/v3.7.11) ### Workarounds No workaround available

3.7.11.Final
Affected by 0 other vulnerabilities.

VCID-gkqy-w15q-jud2
Aliases:
CVE-2025-23366
GHSA-jhvj-f397-8w6q

HAL Console has a Cross Site Scripting (XSS) vulnerability of user input A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References - https://access.redhat.com/security/cve/CVE-2025-23366 - https://bugzilla.redhat.com/show_bug.cgi?id=2337619

3.7.7.Final
Affected by 3 other vulnerabilities.

VCID-w155-te58-v3fy
Aliases:
GHSA-64gp-r758-8pfm

Cross Site Scripting (XSS) vulnerability while uploading content to a new deployment A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFLY-19969

3.7.7.Final
Affected by 3 other vulnerabilities.

VCID-zufu-x8dx-xygs
Aliases:
GHSA-hp88-hfjw-2hg4

Duplicate Advisory: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7jh-m6wp-jm7f. This link is maintained to preserve external references. # Original Description A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.

3.7.11.Final
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:28:23.004938+00:00	GitLab Importer	Affected by	VCID-8ew2-s4a9-u7cu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/CVE-2025-2901.yml	38.4.0
2026-04-16T23:25:12.027576+00:00	GitLab Importer	Affected by	VCID-zufu-x8dx-xygs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-hp88-hfjw-2hg4.yml	38.4.0
2026-04-16T23:18:54.195453+00:00	GitLab Importer	Affected by	VCID-gkqy-w15q-jud2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/CVE-2025-23366.yml	38.4.0
2026-04-16T23:18:44.774976+00:00	GitLab Importer	Affected by	VCID-5du4-1bus-huhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-5wjw-h8x5-v65m.yml	38.4.0
2026-04-16T23:17:41.856417+00:00	GitLab Importer	Affected by	VCID-w155-te58-v3fy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-64gp-r758-8pfm.yml	38.4.0
2026-04-12T00:47:58.895136+00:00	GitLab Importer	Affected by	VCID-8ew2-s4a9-u7cu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/CVE-2025-2901.yml	38.3.0
2026-04-12T00:44:34.063065+00:00	GitLab Importer	Affected by	VCID-zufu-x8dx-xygs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-hp88-hfjw-2hg4.yml	38.3.0
2026-04-12T00:37:44.492538+00:00	GitLab Importer	Affected by	VCID-gkqy-w15q-jud2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/CVE-2025-23366.yml	38.3.0
2026-04-12T00:37:34.295665+00:00	GitLab Importer	Affected by	VCID-5du4-1bus-huhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-5wjw-h8x5-v65m.yml	38.3.0
2026-04-12T00:36:28.608696+00:00	GitLab Importer	Affected by	VCID-w155-te58-v3fy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-64gp-r758-8pfm.yml	38.3.0
2026-04-03T00:55:58.918308+00:00	GitLab Importer	Affected by	VCID-8ew2-s4a9-u7cu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/CVE-2025-2901.yml	38.1.0
2026-04-03T00:52:31.091319+00:00	GitLab Importer	Affected by	VCID-zufu-x8dx-xygs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-hp88-hfjw-2hg4.yml	38.1.0
2026-04-03T00:45:39.192104+00:00	GitLab Importer	Affected by	VCID-gkqy-w15q-jud2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/CVE-2025-23366.yml	38.1.0
2026-04-03T00:45:29.092276+00:00	GitLab Importer	Affected by	VCID-5du4-1bus-huhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-5wjw-h8x5-v65m.yml	38.1.0
2026-04-03T00:44:17.547487+00:00	GitLab Importer	Affected by	VCID-w155-te58-v3fy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jboss.hal/hal-console/GHSA-64gp-r758-8pfm.yml	38.1.0