Critical severityNVD Advisory· Published Jul 20, 2022

Java Melody vulnerable to cross-site scripting

CVE-2016-1000273

Description

JavaMelody is a monitoring tool for JavaEE applications. Versions prior to 1.61.0 are vulnerable to a cross-site scripting (XSS) attack. This issue was patched in version 1.61.0, and users are recommended to upgrade to the latest version. There are no known workarounds.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
net.bull.javamelody:javamelody-coreMaven	< 1.61.0	1.61.0

Patches

e0497c1980ac

fix XSS

https://github.com/javamelody/javamelodyevernatAug 24, 2016via ghsa

commit

1 file changed · +1 −1

javamelody-core/src/main/java/net/bull/javamelody/HtmlCoreReport.java+1 −1 modified

@@ -365,7 +365,7 @@ void writeMessageIfNotNull(String message, String partToRedirectTo,
 		if (message != null) {

 			writeln(SCRIPT_BEGIN);

 			// writeDirectly pour ne pas gérer de traductions si le message contient '#'

-			writeDirectly("alert(\"" + javascriptEncode(message) + "\");");

+			writeDirectly("alert(\"" + htmlEncodeButNotSpace(javascriptEncode(message)) + "\");");

 			writeln("");

 			// redirect vers une url évitant que F5 du navigateur ne refasse l'action au lieu de faire un refresh

 			if (partToRedirectTo == null) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000