Mort Bay Jetty Multiple XSS Vulnerabilities
Gravité: : Medium
Identifiant(s) CVE: : CVE-2009-4610,CVE-2009-4612
Date du conseil: 21 juillet 2015
Description
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
Information Exposure Rating:
Apply associated Trend Micro DPI Rules.
Solutions
Trend Micro Deep Security DPI Rule Number: 1000552
Trend Micro Deep Security DPI Rule Name: 1000552 - Generic Cross Site Scripting(XSS) Prevention
Affected software and version:
- mortbay jetty 6.1.0
- mortbay jetty 6.1.1
- mortbay jetty 6.1.10
- mortbay jetty 6.1.11
- mortbay jetty 6.1.12
- mortbay jetty 6.1.14
- mortbay jetty 6.1.15
- mortbay jetty 6.1.16
- mortbay jetty 6.1.19
- mortbay jetty 6.1.2
- mortbay jetty 6.1.20
- mortbay jetty 6.1.21
- mortbay jetty 6.1.3
- mortbay jetty 6.1.4
- mortbay jetty 6.1.5
- mortbay jetty 6.1.6
- mortbay jetty 6.1.7
- mortbay jetty 6.1.8
- mortbay jetty 6.1.9