CVE-2024-10032

Description

Eclipse GlassFish versions up to 7.0.15 contain a stored cross-site scripting (XSS) vulnerability in the Administration Console. [1] The vulnerability arises because user-supplied input is not properly sanitized before being stored and later rendered in the administrative interface. An attacker can inject arbitrary HTML or JavaScript code into configuration pages, such as standaloneInstanceConfigProperties.jsf. [3] [4]

Exploitation

To exploit this issue, an attacker must have valid administrator credentials for the GlassFish Administration Console. The attacker can then inject malicious script code into form fields that are later displayed to other administrators. The attack is performed via HTTP POST requests, and the injected payload is stored on the server. [1] No additional authentication is needed beyond the initial admin login.

Impact

If a victim administrator views the affected page, the injected script executes in their browser session. This can lead to session hijacking, exposure of sensitive data, or execution of administrative actions on behalf of the victim. [2] The stored XSS persists until manually removed, affecting all subsequent administrators who visit the compromised configuration page.

Mitigation

The vulnerability has been confirmed by the Eclipse Foundation. [2] [4] Users should upgrade to a patched version of Eclipse GlassFish as soon as one becomes available. As a temporary workaround, administrators should ensure that only trusted users have access to the Administration Console and review any unexpected content in configuration properties.