CVE-2006-2759
https://notcve.org/view.php?id=CVE-2006-2759
jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary script source code via a capital P in the .jsp extension, and probably other mixed case manipulations. • http://securitytracker.com/id?1016168 •
CVE-2006-2758 – promise webpam 2.2.0.13 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2006-2758
Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a %2e%2e%5c (encoded ../) in the URL. NOTE: this might be the same issue as CVE-2005-3747. • https://www.exploit-db.com/exploits/18571 http://securitytracker.com/id?1016168 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2005-3747 – promise webpam 2.2.0.13 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2005-3747
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758. Vulnerabilidad no especificada en Jetty anteriores a 5.1.6 permite a atacantes remotos obtener el código fuente de páginas JSP, posiblemente implicando peticiones de ficheros .jsp con caractéres contra barra URL-codificado ("%C"). NOTA: puede tratarse la misma cuestión que en el CVE-2006-2758. • https://www.exploit-db.com/exploits/18571 http://secunia.com/advisories/17659 http://secunia.com/advisories/22669 http://sourceforge.net/project/shownotes.php?release_id=372086&group_id=7322 http://www.securityfocus.com/archive/1/450315/100/0/threaded http://www.securityfocus.com/bid/15515 http://www.vupen.com/english/advisories/2005/2515 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2002-1533 – Jetty 4.1 Servlet Engine - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2002-1533
Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (%0a). Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Jetty JSP servlet engine permite a atacantes remotos insertar HTML arbitrario o rutinas vía petición HTTP a un fichero .jsp cuyo nombre contiene la rutina maliciosa y algunos caracteres de nueva linea (%0a). • https://www.exploit-db.com/exploits/21875 http://archives.neohapsis.com/archives/bugtraq/2002-09/0337.html http://www.iss.net/security_center/static/10219.php http://www.securityfocus.com/bid/5821 •