lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180823152248.6288E20101@smtp.hushmail.com> Date: Thu, 23 Aug 2018 08:22:48 -0700 From: 1n3--- via Fulldisclosure <fulldisclosure@...lists.org> To: "Simon Waters" <simon.waters@...evine.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Jetty 6.1.6 Cross-Site Scripting (XSS) It's likely CVE-2009-1524, but the description is vague and no public PoC was released as far as I can tell. On 8/23/2018 at 2:00 AM, "Simon Waters" wrote: On Tue, 21 Aug 2018 at 18:15, 1n3--- via Fulldisclosure wrote: Title: Jetty 6.1.6 Cross-Site Scripting Date: 8/14/2018 Author: 1N3@...wdShield - https://crowdshield.com Software Link: http://www.mortbay.org/jetty/ Tested on: Jetty 6.1.6 (other versions may also be vulnerable) CVE: N/A Background: Jetty 6.1.6 is vulnerable to Cross-Site Scripting (XSS) which allows an attacker to inject malicious code into the affected site. An attacker can trigger the exploit by appending the following payload to an affected web server which has an open directory listing enabled (https://victim.com//..;/">"). Is this CVE-2009-1524? If so fixed in 6.1.17, April 2009. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists