This security advisory for Red Hat JBoss Enterprise Application Platform 7.4.23 fixes several vulnerabilities: CVE-2024-10234 (WildFly core management subsystem XSS), CVE-2025-2251 (Improper Deserialization in JBoss Marshalling allowing remote code execution), CVE-2025-2901 (Stored XSS in JBoss EAP Management Console), CVE-2025-23184 (Denial of Service in Apache CXF via temporary files), CVE-2025-35036 (Hibernate Validator Expression Language Injection), and CVE-2025-48734 (Apache Commons BeanUtils PropertyUtilsBean enum property suppression issue). These vulnerabilities impact key components of the platform and are addressed in this release. The advisory references multiple bug fixes and upgrades to underlying libraries and subsystems to remediate these issues.

The vulnerabilities fixed in this update include Cross-Site Scripting (XSS) flaws that could allow attackers to inject malicious scripts, Expression Language Injection that may lead to unauthorized expression evaluation, Denial of Service conditions via resource exhaustion, and Improper Deserialization that could enable remote code execution. These issues pose significant risks to the confidentiality, integrity, and availability of applications running on the affected platform versions.

A security update to Red Hat JBoss Enterprise Application Platform 7.4.23 is available and should be applied. This update replaces version 7.4.22 and includes fixes for all listed vulnerabilities. Before applying the update, ensure all previously released errata are applied and back up existing installations, including applications and configurations. Follow Red Hat's official update procedures as detailed in their advisory and documentation. No additional mitigations are specified beyond applying this update.