CVE-2024-10029: Eclipse GlassFish is vulnerable to Reflected XSS attacks through its Administration Console

The vulnerability is a reflected Cross-Site Scripting (XSS) in the Administration Console of Eclipse GlassFish, specifically on the instanceStatus.jsf page. The instanceName request parameter is not properly sanitized, allowing an attacker to inject malicious scripts. The vulnerability was reported for version 7.0.15 and the advisory states that versions up to 7.0.25 are affected. I have analyzed the vulnerability reports and searched the project's repository. However, I was unable to find the specific commit that addresses this vulnerability. Without the patch, it is not possible to identify the exact vulnerable function and the corresponding code changes. The vulnerable function would be within the JSF backing bean responsible for the instanceStatus.jsf page, which processes the instanceName parameter. Since I cannot pinpoint the exact function and provide evidence from the patch, I am returning an empty list of vulnerable functions.