CVE-2009-3579
published 2009-10-07CVE-2009-3579: Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject…
PriorityP416medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.11%
61.8th percentile
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mortbay | jetty | — | — |
| mortbay | jetty | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
vendor_redhat·2009-10-06·CVSS 4.3
CVE-2009-3579 [MEDIUM] CWE-79 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/.
GHSA
GHSA-hw4x-hf25-fgp2: Cross-site scripting (XSS) vulnerability in the CookieDump
ghsa_unreviewed·2022-05-02
CVE-2009-3579 [MEDIUM] CWE-79 GHSA-hw4x-hf25-fgp2: Cross-site scripting (XSS) vulnerability in the CookieDump
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
bugzilla·2009-11-03·CVSS 4.3
CVE-2009-3579 [MEDIUM] CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3579 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample
application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote
attackers to inject arbitrary web script or HTML via the Value
parameter in a GET request to cookie/.
Core Security Technologies advisory CORE-2009-0922:
http://www.coresecurity.com/content/jetty-persistent-xss
Sample XSS:
http://localhost:8088/cookie/?Name=a&Value=alert('XSS;)&Age=600
Note: Issue is not fixed in 6.1.21 as noted in CORE-2009-0922. This should be a proper upstream fix to be included in 6.1.22:
http://fisheye.codehaus.org/changelog/jetty/?cs=5571
This sample serv
Bugzilla
CVE-2009-4609 CVE-2009-4610 CVE-2009-4612 jetty: multiple XSS and information leaks in demo servlets
bugzilla·2009-11-03·CVSS 4.3
CVE-2009-4609 [MEDIUM] CVE-2009-4609 CVE-2009-4610 CVE-2009-4612 jetty: multiple XSS and information leaks in demo servlets
CVE-2009-4609 CVE-2009-4610 CVE-2009-4612 jetty: multiple XSS and information leaks in demo servlets
ush.it reported multiple flaws affecting jetty 6.x and 7.x:
http://www.ush.it/2009/10/25/jetty-6x-and-7x-multiple-vulnerabilities/
Following information leaks problems are reported for demo applications:
A) "Dump Servlet" information leak
(Affected versions: Any)
B) "FORM Authentication demo" information leak
(Affected versions: Any)
and XSS issues:
C) "JSP Dump" reflected XSS
(Affected versions: Any)
D) "Session Dump Servlet" stored XSS
(Affected versions: Any)
G) "Cookie Dump Servlet" stored XSS
(Affected versions: =<6.1.20)
H) WebApp JSP Snoop page XSS
(Affected versions: =<6.1.21)
Discussion:
Local copy of the advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=532675#c1
http://www.coresecurity.com/content/jetty-persistent-xsshttp://www.securityfocus.com/archive/1/507013/100/0/threadedhttp://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txthttp://www.coresecurity.com/content/jetty-persistent-xsshttp://www.securityfocus.com/archive/1/507013/100/0/threadedhttp://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
2009-10-07
Published