Jetty contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate content preceding a ";" for directory listing URLs. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 6.1.17 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2009-1524 (see also: NVD)
• Bugtraq ID: 34800
• Secunia Advisory ID: 34975 40553 40577
• Related OSVDB ID: 54186
• Vendor Specific Advisory URL: http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02282388 [ Auth Req'd ]
  http://jira.codehaus.org/browse/JETTY-980
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1023962
  http://www.vmware.com/security/advisories/VMSA-2010-0012.html

• Joakim Erdfelt -