{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25247", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-02-05T06:27:11.904Z", "datePublished": "2025-02-10T11:16:59.979Z", "dateUpdated": "2025-02-10T14:40:10.467Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Felix Webconsole", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.9.8", "status": "affected", "version": "Version 4.x", "versionType": "semver"}, {"lessThanOrEqual": "5.0.8", "status": "affected", "version": "Version 5.x", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Viktor Mares ([email protected])"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.</p><p>This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.</p><p>Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.\n\nThis issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.\n\nUsers are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-02-10T11:16:59.979Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m"}], "source": {"advisory": "FELIX-6751", "discovery": "UNKNOWN"}, "title": "Apache Felix Webconsole: XSS in services console", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/02/10/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-10T12:04:27.741Z"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-10T14:38:49.656788Z", "id": "CVE-2025-25247", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T14:40:10.467Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/02/10/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-10T12:04:27.741Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-25247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-10T14:38:49.656788Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T14:39:06.186Z"}}], "cna": {"title": "Apache Felix Webconsole: XSS in services console", "source": {"advisory": "FELIX-6751", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Viktor Mares ([email protected])"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Felix Webconsole", "versions": [{"status": "affected", "version": "Version 4.x", "versionType": "semver", "lessThanOrEqual": "4.9.8"}, {"status": "affected", "version": "Version 5.x", "versionType": "semver", "lessThanOrEqual": "5.0.8"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.\n\nThis issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.\n\nUsers are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.</p><p>This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.</p><p>Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-02-10T11:16:59.979Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25247", "state": "PUBLISHED", "dateUpdated": "2025-02-10T14:40:10.467Z", "dateReserved": "2025-02-05T06:27:11.904Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-02-10T11:16:59.979Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:felix_webconsole:*:*:*:*:*:*:*:*", "matchCriteriaId": "961B5383-2AF2-4E6F-9BF5-A5C742D6AA67", "versionEndExcluding": "4.9.10", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:felix_webconsole:*:*:*:*:*:*:*:*", "matchCriteriaId": "731E59BA-2F12-47FC-AD13-99FFB0A67483", "versionEndExcluding": "5.0.10", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.\n\nThis issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.\n\nUsers are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en Apache Felix Webconsole. Este problema afecta a Apache Felix Webconsole 4.x hasta 4.9.8 y 5.x hasta 5.0.8. Se recomienda a los usuarios actualizar a la versi\u00f3n 4.9.10 o 5.0.10 o superior, que soluciona el problema. "}], "id": "CVE-2025-25247", "lastModified": "2025-07-14T13:50:15.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-02-10T12:15:29.557", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory", "Issue Tracking"], "url": "https://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2025/02/10/1"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.felix.webconsole: Apache Felix Webconsole: XSS in services console", "id": "2344635", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344635"}, "csaw": false, "cwe": "CWE-79", "details": ["Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.\nThis issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.\nUsers are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.", "A flaw was found in the Apache Felix Webconsole. This vulnerability allows Cross-site Scripting (XSS) via improper neutralization of input during web page generation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-25247", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.apache.felix/org.apache.felix.webconsole", "product_name": "Red Hat Fuse 7"}], "public_date": "2025-02-10T11:16:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25247\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25247\nhttps://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m"], "threat_severity": "Moderate"}