CVE-2013-4378

JavaMelody < 1.46 - Cross-Site Scripting via X-Forwarded-For Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-4378. PoCs published by epicosy, theratpack.

AI-analyzed exploit summary The repository contains a proof-of-concept exploit for CVE-2013-4378, targeting JavaMelody's monitoring tool. The exploit leverages an action execution mechanism to perform unauthorized operations such as garbage collection, heap dumps, and session invalidation.

Description

Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.

Exploits (2)

nomisec WORKING POC
by epicosy · poc
https://github.com/epicosy/VUL4J-50

The repository contains a proof-of-concept exploit for CVE-2013-4378, targeting JavaMelody's monitoring tool. The exploit leverages an action execution mechanism to perform unauthorized operations such as garbage collection, heap dumps, and session invalidation.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JavaMelody (versions requiring Java 1.5+)
No auth needed
Prerequisites: Access to the JavaMelody monitoring interface · System actions enabled in the configuration
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by theratpack · poc
https://github.com/theratpack/grails-javamelody-sample-app

The repository contains a README referencing CVE-2013-4378 and a basic JavaScript file for a Grails sample app using the Javamelody plugin. No exploit code or PoC is present.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Grails Javamelody plugin version 1.44
No auth needed
Prerequisites: Grails application with Javamelody plugin version 1.44
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory x_refsource_confirm
https://code.google.com/p/javamelody/wiki/ReleaseNotes
Exploit, Patch mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2013/q3/679
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/62679
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/97778

Scores

EPSS 0.0276
EPSS Percentile 84.4%

Details

CWE
CWE-79
Status published
Products (43)
emeric_vernat/javamelody 1.6
emeric_vernat/javamelody 1.7
emeric_vernat/javamelody 1.8
emeric_vernat/javamelody 1.9
emeric_vernat/javamelody 1.10
emeric_vernat/javamelody 1.11
emeric_vernat/javamelody 1.12
emeric_vernat/javamelody 1.13
emeric_vernat/javamelody 1.14
emeric_vernat/javamelody 1.15
... and 33 more
Published Sep 30, 2013
Tracked Since Feb 18, 2026