Debora Esposito

**Name of the Vulnerable Software and Affected Versions** Eclipse GlassFish version 7.0.15 **Description** Eclipse GlassFish version 7.0.15 is susceptible to Stored Cross-site scripting attacks within the Administration Console. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eclipse GlassFish versions 7.0.16 and earlier **Description** Eclipse GlassFish is susceptible to login brute-force attacks due to the absence of restrictions on the number of failed login attempts. **Recommendations** Apply a configuration to limit the number of failed login attempts.

**Name of the Vulnerable Software and Affected Versions** Eclipse GlassFish version 7.0.15 **Description** Eclipse GlassFish version 7.0.15 is susceptible to Stored Cross-site scripting attacks within the Administration Console. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eclipse GlassFish version 7.0.15 **Description** Eclipse GlassFish version 7.0.15 is susceptible to Reflected Cross-site scripting attacks within the Administration Console. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eclipse GlassFish version 7.0.15 **Description** Eclipse GlassFish version 7.0.15 is susceptible to Stored Cross-site Scripting attacks. The attacks can be performed by modifying the configuration file within the underlying operating system. **Recommendations** Modify the configuration file to prevent the injection of malicious scripts.

Name of the Vulnerable Software and Affected Versions: Payara Server versions 4.1.2.191.1 through 4.1.2.191.50 Payara Server versions 5.20.0 through 5.67.0 Payara Server versions 6.0.0 through 6.18.0 Payara Server versions 6.2022.1 through 6.2024.9 Description: The issue affects the Payara Server, specifically the Admin Console modules, due to an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Remote Code Inclusion. Recommendations: For Payara Server versions 4.1.2.191.1 through 4.1.2.191.50, update to version 4.1.2.191.51 or later. For Payara Server versions 5.20.0 through 5.67.0, update to version 5.68.0 or later. For Payara Server versions 6.0.0 through 6.18.0, update to version 6.19.0 or later. For Payara Server versions 6.2022.1 through 6.2024.9, update to version 6.2024.10 or later.

**Name of the Vulnerable Software and Affected Versions** Eclipse Glassfish versions prior to 7.0.17 **Description** The Host HTTP parameter could cause the web application to redirect to the specified URL when the requested endpoint is "/management/domain". By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. **Recommendations** For Eclipse Glassfish versions prior to 7.0.17, as a temporary workaround, consider restricting access to the "/management/domain" endpoint until a patch is available. Avoid using the Host HTTP parameter in the affected endpoint to minimize the risk of exploitation. Update to version 7.0.17 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Payara Server versions 4.1.2.191.0 through 4.1.2.191.50 Payara Server versions 5.20.0 through 5.67.0 Payara Server versions 5.2020.2 through 5.2022.5 Payara Server versions 6.0.0 through 6.18.0 Payara Server versions 6.2022.1 through 6.2024.9 Description: The issue affects the Payara Platform Payara Server, specifically the logging modules, allowing sensitive credentials to be posted in plain text on the server log. This exposes sensitive information to unauthorized actors. Recommendations: For Payara Server versions 4.1.2.191.0 through 4.1.2.191.50, update to version 4.1.2.191.50 or later. For Payara Server versions 5.20.0 through 5.67.0, update to version 5.67.0 or later. For Payara Server versions 5.2020.2 through 5.2022.5, update to version 5.2022.5 or later. For Payara Server versions 6.0.0 through 6.18.0, update to version 6.18.0 or later. For Payara Server versions 6.2022.1 through 6.2024.9, update to version 6.2024.9 or later.

**Name of the Vulnerable Software and Affected Versions** Payara Server versions 4.1.2.191.0 through 4.1.2.191.50 Payara Server versions 5.20.0 through 5.67.0 Payara Server versions 5.2020.2 through 5.2022.5 Payara Server versions 6.0.0 through 6.18.0 Payara Server versions 6.2022.1 through 6.2024.9 **Description** The issue affects the Payara Platform Payara Server, specifically the REST Management Interface modules, allowing session hijacking due to a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. **Recommendations** For Payara Server versions 4.1.2.191.0 through 4.1.2.191.50, update to version 4.1.2.191.50 or later. For Payara Server versions 5.20.0 through 5.67.0, update to version 5.67.0 or later. For Payara Server versions 5.2020.2 through 5.2022.5, update to version 5.2022.5 or later. For Payara Server versions 6.0.0 through 6.18.0, update to version 6.18.0 or later. For Payara Server versions 6.2022.1 through 6.2024.9, update to version 6.2024.9 or later.