CVE-2025-27867: 
Java vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Apache Felix HTTP Webconsole Plugin, tracked as CVE-2025-27867. The vulnerability was discovered by Viktor Mares and disclosed on March 12, 2025. This security issue affects Apache Felix HTTP Webconsole Plugin versions from 1.X through 1.2.0, which involves improper neutralization of input during web page generation (OSS Security, NVD).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). The CVSS 3.1 base score is 5.6 (Medium), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating that the vulnerability is network accessible, requires high attack complexity, needs no privileges, requires no user interaction, and has a scope that is unchanged with low impacts to confidentiality, integrity, and availability (NVD).

The Cross-site Scripting vulnerability could potentially allow attackers to inject malicious scripts into web pages viewed by users of the Apache Felix HTTP Webconsole Plugin. This could lead to unauthorized access to sensitive information, session hijacking, or other malicious activities typically associated with XSS attacks (NVD).

Users are strongly recommended to upgrade to Apache Felix HTTP Webconsole Plugin version 1.2.2, which contains the fix for this vulnerability (OSS Security).