Description
In the default configuration, after JBoss is installed, the web console is available at http://localhost:8080/web-console. The Web console can be used to display the JNDI tree, dump the list of threads, redeploy an application or even shutdown the application server. By default, the console is not secured and can be used by remote attackers. Check References for detailed information.
Remediation
Restrict access to JBoss Web Console.
References
Securing the JMX Console and Web Console
Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?
Related Vulnerabilities
WordPress Plugin Aspose PDF Exporter Arbitrary File Download (1.0)
WordPress Plugin User Profile Picture Information Disclosure (2.4.0)
WordPress Plugin WP-Live Chat by 3CX Information Disclosure (8.0.28)
Joomla! Core 3.x.x Information Disclosure (3.8.0 - 3.9.13)
TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-3628)