CVE-2025-23366

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "redhat",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23366.json"
}

References

Affected packages

Git / github.com/hal/console

Affected ranges

Type

GIT

Repo

https://github.com/hal/console

Events

Introduced

Fixed

4ef303fe5eb41ed1c82eef1ddcbfbb6bcdfe6f8d

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.7.7.Final"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*

0.2.10

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

v3.*

v3.5.1.Final

v3.5.10

v3.5.11

v3.5.12

v3.5.2.Final

v3.5.3

v3.5.4

v3.5.5

v3.5.6

v3.5.7

v3.5.8

v3.5.9

v3.6.0

v3.6.1

v3.6.10

v3.6.11

v3.6.12

v3.6.13

v3.6.14

v3.6.15

v3.6.16

v3.6.17

v3.6.2

v3.6.3

v3.6.4

v3.6.5

v3.6.6

v3.6.7

v3.6.8

v3.6.9

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.7.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23366.json"