{"id":"CVE-2025-25247","details":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.\n\nThis issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.\n\nUsers are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.","aliases":["GHSA-4c37-7m5h-c8m9"],"modified":"2026-04-10T05:27:07.856894Z","published":"2025-02-10T12:15:29.557Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/10/1"},{"type":"REPORT","url":"https://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/felix-dev","events":[{"introduced":"1ce72dad35b4e1caca807b53185402515d5bf07f"},{"fixed":"f9f659188c7113a81b17cdbb3794eed5c975cbf3"},{"introduced":"fc87db65f67e92c9da8baea993f53a15c4bf5b76"},{"fixed":"2fad865f532e56c9f19b6a1ad4b17010f033ba92"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.9.10"},{"introduced":"5.0.0"},{"fixed":"5.0.10"}]}}],"versions":["felix-parent-9","maven-bundle-plugin-6.0.0","org.apache.felix.cm.json-2.0.6","org.apache.felix.http.base-5.1.10","org.apache.felix.http.base-5.1.6","org.apache.felix.http.base-5.1.8","org.apache.felix.http.bridge-5.1.6","org.apache.felix.http.bridge-5.1.8","org.apache.felix.http.inventoryprinter-1.0.2","org.apache.felix.http.jetty-5.1.10","org.apache.felix.http.jetty-5.1.12","org.apache.felix.http.jetty-5.1.14","org.apache.felix.http.jetty-5.1.16","org.apache.felix.http.jetty-5.1.18","org.apache.felix.http.jetty-5.1.20","org.apache.felix.http.jetty-5.1.22","org.apache.felix.http.jetty-5.1.24","org.apache.felix.http.jetty-5.1.26","org.apache.felix.http.jetty-5.1.28","org.apache.felix.http.jetty-5.1.8","org.apache.felix.http.jetty12-1.0.10","org.apache.felix.http.jetty12-1.0.12","org.apache.felix.http.jetty12-1.0.14","org.apache.felix.http.jetty12-1.0.16","org.apache.felix.http.jetty12-1.0.18","org.apache.felix.http.jetty12-1.0.19","org.apache.felix.http.jetty12-1.0.2","org.apache.felix.http.jetty12-1.0.20","org.apache.felix.http.jetty12-1.0.4","org.apache.felix.http.jetty12-1.0.6","org.apache.felix.http.jetty12-1.0.8","org.apache.felix.http.webconsoleplugin-1.2.0","org.apache.felix.http.wrappers-1.0.4","org.apache.felix.http.wrappers-1.1.4","org.apache.felix.http.wrappers-1.1.6","org.apache.felix.http.wrappers-1.1.8","org.apache.felix.http.wrappers6-1.1.4","org.apache.felix.scr-2.2.10","org.apache.felix.scr-2.2.12","org.apache.felix.scr-2.2.8","org.apache.felix.webconsole-5.0.0","org.apache.felix.webconsole-5.0.2","org.apache.felix.webconsole-5.0.4","org.apache.felix.webconsole-5.0.6","org.apache.felix.webconsole-5.0.8","osgicheck-maven-plugin-0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25247.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}