CVE-2009-4612

Name of the Vulnerable Software and Affected Versions Mort Bay Jetty versions 6.1.x through 6.1.21

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page. Remote attackers can inject arbitrary web script or HTML via the PATH INFO to specific URIs, including (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH INFO to (4) snoop.jsp.

Recommendations For Mort Bay Jetty versions 6.1.x through 6.1.21, consider restricting access to the vulnerable jspsnoop/ and snoop.jsp pages until a patch is available. As a temporary workaround, avoid using the PATH INFO to the default URI under the mentioned paths. At the moment, there is no information about a newer version that contains a fix for this vulnerability.