CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2901 – Org.jboss.hal-hal-parent: stored cross-site scripting (xss) in jboss eap management console
https://notcve.org/view.php?id=CVE-2025-2901
28 Mar 2025 — A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities. • https://access.redhat.com/security/cve/CVE-2025-2901 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-2240 – Smallrye-fault-tolerance: smallrye fault tolerance
https://notcve.org/view.php?id=CVE-2025-2240
12 Mar 2025 — A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. • https://access.redhat.com/security/cve/CVE-2025-2240 • CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23368 – Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli
https://notcve.org/view.php?id=CVE-2025-23368
04 Mar 2025 — A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. • https://access.redhat.com/security/cve/CVE-2025-23368 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-23367 – Org.wildfly.core:wildfly-server: wildfly improper rbac permission
https://notcve.org/view.php?id=CVE-2025-23367
30 Jan 2025 — A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whet... • https://access.redhat.com/security/cve/CVE-2025-23367 • CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23366 – Org.jboss.hal:hal-console: wildfly hal console cross-site scripting
https://notcve.org/view.php?id=CVE-2025-23366
14 Jan 2025 — A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. • https://access.redhat.com/security/cve/CVE-2025-23366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11736 – Org.keycloak:keycloak-quarkus-server: unrestricted admin use of system and environment variables
https://notcve.org/view.php?id=CVE-2024-11736
14 Jan 2025 — A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing. Se encontró una vulnerabilidad en Keycloak. • https://access.redhat.com/errata/RHSA-2025:0299 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11734 – Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers
https://notcve.org/view.php?id=CVE-2024-11734
14 Jan 2025 — A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request. Se encontró una vulnerabilidad de denegación de servicio en Keycloak que podría permitir que un usuario administrativo con derecho a cambi... • https://access.redhat.com/errata/RHSA-2025:0299 • CWE-693: Protection Mechanism Failure •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-8447 – Narayana: deadlock via multiple join requests sent to lra coordinator
https://notcve.org/view.php?id=CVE-2024-8447
02 Jan 2025 — A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service. A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. • https://access.redhat.com/security/cve/CVE-2024-8447 • CWE-833: Deadlock •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10973 – Keycloak: cli option for encrypted jgroups ignored
https://notcve.org/view.php?id=CVE-2024-10973
17 Dec 2024 — A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information. • https://access.redhat.com/security/cve/CVE-2024-10973 • CWE-319: Cleartext Transmission of Sensitive Information •