CVE-2013-4378

Emeric Vernat Javamelody < 1.46 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.

Exploits (2)

nomisec STUB

by theratpack · poc

https://github.com/theratpack/grails-javamelody-sample-app

View Code ZIP pw:eip

nomisec WORKING POC

by epicosy · poc

https://github.com/epicosy/VUL4J-50

View Code ZIP pw:eip

References (6)

[Third Party Advisory, VDB Entry] http://osvdb.org/97778

[Exploit, Patch] http://seclists.org/oss-sec/2013/q3/679

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/62679

[Exploit, Patch] https://code.google.com/p/javamelody/source/detail?r=3515

[Issue Tracking] https://code.google.com/p/javamelody/issues/detail?id=346

[Third Party Advisory] https://code.google.com/p/javamelody/wiki/ReleaseNotes

Scores

EPSS 0.0100

EPSS Percentile 76.8%

Details

CWE

CWE-79

Status published

Products (44)

emeric_vernat/javamelody < 1.46

emeric_vernat/javamelody

... and 34 more

Published Sep 30, 2013

Tracked Since Feb 18, 2026