Moderate severityNVD Advisory· Published Sep 30, 2013· Updated Apr 29, 2026
CVE-2013-4378
CVE-2013-4378
Description
Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.bull.javamelody:javamelody-coreMaven | < 1.47.0 | 1.47.0 |
Affected products
42cpe:2.3:a:emeric_vernat:javamelody:*:*:*:*:*:*:*:*+ 41 more
- cpe:2.3:a:emeric_vernat:javamelody:*:*:*:*:*:*:*:*range: <=1.46
- cpe:2.3:a:emeric_vernat:javamelody:1.10:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.11:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.13:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.14:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.15:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.16:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.17:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.18:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.19:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.22:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.23:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.24:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.25:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.26:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.27:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.28:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.29:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.30:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.31:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.32:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.32.1:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.33:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.34:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.35:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.36:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.37:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.38:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.39:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.40:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.41:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.42:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.43:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.44:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.45:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:emeric_vernat:javamelody:1.9:*:*:*:*:*:*:*
Patches
1aacbc46151fffix for issue 346: XSS through X-Forwarded-For header spoofing
1 file changed · +1 −1
javamelody-core/src/main/java/net/bull/javamelody/HtmlSessionInformationsReport.java+1 −1 modified@@ -159,7 +159,7 @@ private void writeSession(SessionInformations session, boolean displayUser) thro if (remoteAddr == null) { write(" "); } else { - write(remoteAddr); + write(htmlEncodeButNotSpace(remoteAddr)); } write(nextColumnAlignCenter); writeCountry(session);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- seclists.org/oss-sec/2013/q3/679nvdExploitPatchWEB
- code.google.com/p/javamelody/source/detailnvdExploitPatchWEB
- github.com/advisories/GHSA-p4mx-p49m-8rw4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4378ghsaADVISORY
- osvdb.org/97778nvdWEB
- code.google.com/p/javamelody/issues/detailnvdWEB
- code.google.com/p/javamelody/wiki/ReleaseNotesnvdWEB
- github.com/javamelody/javamelody/commit/aacbc46151ff4ac1ca34ce0899c2a6113071c66eghsaWEB
- github.com/javamelody/javamelody/issues/346ghsaWEB
- www.securityfocus.com/bid/62679nvd
News mentions
0No linked articles in our index yet.