VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 14, 2018· Updated Aug 5, 2024

CVE-2018-12432

CVE-2018-12432

Description

JavaMelody through 1.60.0 has a stored XSS in the clear_counter action via the counter parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

JavaMelody through 1.60.0 has a stored XSS in the clear_counter action via the counter parameter.

Vulnerability

JavaMelody versions 1.59.0 through 1.61.0 are vulnerable to cross-site scripting (XSS) in the /monitoring endpoint. The clear_counter action does not sanitize the counter parameter before reflecting it in a JavaScript alert message. The vulnerable code path is in javamelody-core/src/main/java/net/bull/javamelody/PayloadClassNameRequestHandler.java (or similar), where the counter value is used directly in a writeDirectly call without HTML encoding [1][2][3].

Exploitation

An unauthenticated attacker can send a crafted HTTP GET request to /monitoring?action=clear_counter&counter=. The server responds with an HTML page containing the attacker-controlled script in a JavaScript context, causing it to execute in the victim's browser. No special privileges or user interaction beyond visiting the manipulated URL are required [2].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to theft of sensitive data (e.g., session cookies), defacement, or redirection to malicious sites. The attack does not provide server-side code execution but compromises the confidentiality and integrity of user interactions [1][2].

Mitigation

The fix was committed in commit e0497c1980acebd257d3da78dfde29ae9bdffdf6 on June 14, 2018, which adds htmlEncodeButNotSpace(javascriptEncode(message)) to the alert output [3]. Users should upgrade to JavaMelody version 1.61.1 or later. If upgrading is not immediately possible, restrict network access to the /monitoring endpoint or apply a web application firewall rule to sanitize the counter parameter [1].

References
  1. NVD - CVE-2018-12432
  2. Attack Vector JavaMelody
  3. fix XSS · javamelody/javamelody@e0497c1

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
net.bull.javamelody:javamelody-coreMaven
< 1.61.01.61.0

Affected products

1

Patches

1
e0497c1980ac

fix XSS

https://github.com/javamelody/javamelodyevernatAug 24, 2016via ghsa
commit
1 file changed · +1 1
  • javamelody-core/src/main/java/net/bull/javamelody/HtmlCoreReport.java+1 1 modified
    @@ -365,7 +365,7 @@ void writeMessageIfNotNull(String message, String partToRedirectTo,
 		if (message != null) {

 			writeln(SCRIPT_BEGIN);

 			// writeDirectly pour ne pas gérer de traductions si le message contient '#'

-			writeDirectly("alert(\"" + javascriptEncode(message) + "\");");

+			writeDirectly("alert(\"" + htmlEncodeButNotSpace(javascriptEncode(message)) + "\");");

 			writeln("");

 			// redirect vers une url évitant que F5 du navigateur ne refasse l'action au lieu de faire un refresh

 			if (partToRedirectTo == null) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.