CVE-2024-10031

Vulnerability

Overview

CVE-2024-10031 describes a stored cross-site scripting (XSS) vulnerability in Eclipse GlassFish version 7.0.15. The root cause is that an attacker with the ability to modify configuration files on the underlying operating system can inject malicious scripts into the application. These scripts are then stored and later executed in the context of the administrative console, leading to a stored XSS condition [1][2].

Exploitation

Prerequisites

Exploitation requires the attacker to have write access to the GlassFish configuration files on the server's file system. This could be achieved through local access, compromised credentials, or another vulnerability that grants file write privileges. No authentication to the GlassFish admin interface is needed for the injection step, but the injected script will execute when an administrator accesses the affected component (e.g., the user management interface) [3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin console. This can lead to session hijacking, defacement, theft of administrative credentials, or further compromise of the GlassFish server and its hosted applications. The stored nature of the XSS means the payload persists across sessions and can affect multiple administrators [2].

Mitigation

Status

As of the publication date (2025-07-16), no patch has been announced for this vulnerability. Users are advised to restrict file system permissions on GlassFish configuration directories, monitor for unauthorized changes, and apply any future updates from the Eclipse GlassFish project [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.