CVE-2019-10241

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.2.26 and older Eclipse Jetty versions 9.3.25 and older Eclipse Jetty versions 9.4.15 and older

Description The server is vulnerable to XSS conditions if a remote client uses a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a listing of directory contents. This issue arises due to the lack of protection for the web page structure, allowing a remote attacker to conduct XSS attacks by using a specially formatted URL.

Recommendations For Eclipse Jetty versions 9.2.26 and older, update to a version newer than 9.2.26 to resolve the issue. For Eclipse Jetty versions 9.3.25 and older, update to a version newer than 9.3.25 to resolve the issue. For Eclipse Jetty versions 9.4.15 and older, update to a version newer than 9.4.15 to resolve the issue. As a temporary workaround, consider restricting access to the DefaultServlet and ResourceHandler to minimize the risk of exploitation.