Advisories for Maven/Net.bull.javamelody/Javamelody-Core package

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in net.bull.javamelody:javamelody-core.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.

2018

Improper Restriction of XML External Entity Reference

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.