...
CVE-2009-2897 describes several cross-site scripting (XSS) vulnerabilities in several versions of SpringSource Hyperic HQ. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters. They are demonstrated by an uncaught java.lang.NumberFormatException exception resulting from entering several invalid numeric parameters to the web interface.
CVE-2015-2080 describes a vulnerability in the Jetty web server, versions 9.2.3 to 9.2.8, where an illegal character passed in an HTML request causes the server to respond with an error message containing the text with the illegal character. But this error message can also contain sensitive information, such as cookies from previous web requests.
Related Guidelines
ERR12-CPP. Do not allow exceptions to transmit sensitive information | |
CWE-209, Information Exposure through an Error Message |
...
9.1, Security Exceptions | |
| \[Gotham 2015\] | JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server |
| [Schönefeld 2004] |