CVE-2024-10029
Description
In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse GlassFish 7.0.15 Administration Console is vulnerable to Reflected Cross-site Scripting via the instanceName parameter.
Vulnerability
Eclipse GlassFish version 7.0.15 contains a reflected cross-site scripting (XSS) vulnerability in its Administration Console. This flaw allows an unauthenticated attacker to inject arbitrary JavaScript into the application's response, bypassing the browser's same-origin policy when the victim clicks a crafted link.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload in the instanceName parameter and tricking an authenticated administrative user into clicking it [1][2][3][4]. No authentication is required to deliver the payload, although the victim must be logged into the Administration Console for the script to execute in the privileged context.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session with the GlassFish Administration Console. This can lead to session hijacking, administrative actions performed on behalf of the victim, or theft of sensitive information displayed on the console.
Mitigation
The vulnerability was reported through Eclipse Foundation's security process [3][4]. Users should upgrade to a patched version of GlassFish as soon as it becomes available. As of publication, version 7.0.15 is affected; later releases may contain the fix. No workaround is described in public advisories.
- GitHub - eclipse-ee4j/glassfish: Eclipse GlassFish
- NVD - CVE-2024-10029
- Glassfish cross-side scripting in instanceName (#40) · Issues · Eclipse Projects Security / cve-assignment · GitLab
- Glassfish cross-side scripting in instanceName (#226) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.glassfish.main.admingui:console-commonMaven | <= 7.0.25 | — |
org.glassfish.main.admingui:console-cluster-pluginMaven | <= 7.0.25 | — |
Affected products
2- Eclipse Foundation/Eclipse Glassfishv5Range: 7.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.