CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-1534 – Cross-site Scripting (Stored)
https://notcve.org/view.php?id=CVE-2025-1534
01 Apr 2025 — CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2. • https://docs.payara.fish/community/docs/6.2025.3/Release%20Notes/Release%20Notes%206.2025.3.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 10EXPL: 0CVE-2024-45687 – HTTP Server incorrectly accepting disallowed characters within header values
https://notcve.org/view.php?id=CVE-2024-45687
21 Jan 2025 — Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191... • https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8215 – Payload Injection Attack via Management REST interface
https://notcve.org/view.php?id=CVE-2024-8215
08 Oct 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51. • https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.10.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-8097 – Sensitive information exposure when the org.glassfish.admingui LOGGER is set to FINEST level
https://notcve.org/view.php?id=CVE-2024-8097
11 Sep 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50. • https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-7312 – REST Interface Link Redirection via Host parameter
https://notcve.org/view.php?id=CVE-2024-7312
11 Sep 2024 — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50. • https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.67.0.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 0CVE-2023-28462
https://notcve.org/view.php?id=CVE-2023-28462
30 Mar 2023 — A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed. • https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191 • CWE-502: Deserialization of Untrusted Data •