CVE-2021-3536
wildfly: XSS via admin console when creating roles in domain mode
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto afecta la Confidencialidad y la Integridad
A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-05 CVE Reserved
- 2021-05-20 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1948001 | 2021-05-26 | |
| https://access.redhat.com/security/cve/CVE-2021-3536 | 2021-12-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Data Grid Search vendor "Redhat" for product "Data Grid" | 8.0 Search vendor "Redhat" for product "Data Grid" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Descision Manager Search vendor "Redhat" for product "Descision Manager" | 7.0 Search vendor "Redhat" for product "Descision Manager" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel K Search vendor "Redhat" for product "Integration Camel K" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel Quarkus Search vendor "Redhat" for product "Integration Camel Quarkus" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Service Registry Search vendor "Redhat" for product "Integration Service Registry" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss A-mq Search vendor "Redhat" for product "Jboss A-mq" | 7 Search vendor "Redhat" for product "Jboss A-mq" and version "7" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Search vendor "Redhat" for product "Wildfly" | < 23.0.2 Search vendor "Redhat" for product "Wildfly" and version " < 23.0.2" | - |
Affected
| ||||||