CVE-2024-9343

Vulnerability

Analysis

A stored Cross-site Scripting (XSS) vulnerability exists in Eclipse GlassFish version 7.0.15, specifically within the Administration Console. The root cause is improper sanitization of user-controlled input that is later stored and rendered in a web page, allowing attacker-supplied JavaScript to execute in the context of an authenticated administrator's session [1][2].

Attack

Vector

The vulnerability is triggered through the uploadFrame.jsf component of the Admin Console. An authenticated attacker with administrative privileges can inject malicious script code when performing a file upload operation or entering data that is stored and later displayed without proper encoding. The attack requires valid administrator credentials and network access to the GlassFish Admin Console web interface [3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any administrator who views the affected page. This can lead to session hijacking, credential theft, unauthorized administrative actions, or defacement of the console. Because the injected script is stored, it persists across sessions and can affect multiple administrators until the malicious content is removed [2][4].

Mitigation

Eclipse Foundation has assigned this issue for resolution; users are advised to upgrade to a patched version of GlassFish when released, or apply vendor-recommended workarounds such as restricting network access to the Admin Console and reviewing logs for signs of exploitation. No public patch was available at the time of publication [1][2][3].