CVE-2013-4378

Emeric Vernat Javamelody < 1.46 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.

Exploits (2)

nomisec WORKING POC

by epicosy · poc

https://github.com/epicosy/VUL4J-50

View Code ZIP pw:eip

nomisec STUB

by theratpack · poc

https://github.com/theratpack/grails-javamelody-sample-app

View Code ZIP pw:eip

References (6)

Core 6

Core References

Third Party Advisory x_refsource_confirm

https://code.google.com/p/javamelody/wiki/ReleaseNotes

Exploit, Patch mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2013/q3/679

Exploit, Patch x_refsource_confirm

https://code.google.com/p/javamelody/source/detail?r=3515

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/62679

Issue Tracking x_refsource_confirm

https://code.google.com/p/javamelody/issues/detail?id=346

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/97778

Scores

EPSS 0.0054

EPSS Percentile 67.9%

Details

CWE

CWE-79

Status published

Products (43)

emeric_vernat/javamelody 1.6

emeric_vernat/javamelody 1.7

emeric_vernat/javamelody 1.8

emeric_vernat/javamelody 1.9

emeric_vernat/javamelody 1.10

emeric_vernat/javamelody 1.11

emeric_vernat/javamelody 1.12

emeric_vernat/javamelody 1.13

emeric_vernat/javamelody 1.14

emeric_vernat/javamelody 1.15

... and 33 more

Published Sep 30, 2013

Tracked Since Feb 18, 2026