CVE-2025-14340
7.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red
Summary
Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Payara Platform | Payara Server | 4.1.153.1 <= 4.1.2.191.53 | affected |
| Payara Platform | Payara Server | 5.20.0 <= 5.82.0 | affected |
| Payara Platform | Payara Server | 6.0.0 <= 6.33.0 | affected |
| Payara Platform | Payara Server | 7.2024.1.Alpha1 <= 7.2025.2 | affected |
| Payara Platform | Payara Server | 6.2022.1 <= 6.2025.11 | affected |
| Payara Platform | Payara Server | 5.2020.2 <= 5.2022.5 | affected |
| Payara Platform | Payara Server | 5.181 <= 5.201.2 | affected |
| Payara Platform | Payara Server | 4.1.2.191.54 | unaffected |
| Payara Platform | Payara Server | 5.83.0 | unaffected |
| Payara Platform | Payara Server | 6.34.0 | unaffected |
| Payara Platform | Payara Server | 7.2026.1 | unaffected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.