CVE-2009-4610

Mort Bay Jetty 6.x and 7.0.0 - Cross-Site Scripting via JSP Dump Query String or Session Dump Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4610. PoCs published by Antonion Parata.

AI-analyzed exploit summary This is a detailed advisory describing multiple vulnerabilities in Jetty 6.x and 7.x, including information leaks, XSS, and escape sequence injection. It provides technical analysis and proof-of-concept examples but does not include executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Antonion Parata · textwebappsjsp
https://www.exploit-db.com/exploits/9887

This is a detailed advisory describing multiple vulnerabilities in Jetty 6.x and 7.x, including information leaks, XSS, and escape sequence injection. It provides technical analysis and proof-of-concept examples but does not include executable exploit code.

Classification
Writeup 100%
Attack Type
Info Leak | Xss | Other
Complexity
Trivial
Reliability
Reliable
Target: Jetty 7.0.0 and earlier versions
No auth needed
Prerequisites: Access to the target Jetty server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

EPSS 0.0306
EPSS Percentile 85.9%

Details

CWE
CWE-79
Status published
Products (6)
mortbay/jetty 6.0.0 (28 CPE variants)
mortbay/jetty 6.0.1
mortbay/jetty 6.0.2
mortbay/jetty 6.1.0 (9 CPE variants)
mortbay/jetty 6.1.1 (2 CPE variants)
mortbay/jetty 6.1.2 (9 CPE variants)
Published Jan 13, 2010
Tracked Since Feb 18, 2026