JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI. References https://nvd.nist.gov/vuln/detail/CVE-2018-12432 https://github.com/Hurdano/JavaMelody-XSS/wiki/Attack-Vector—JavaMelody https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6 https://github.com/advisories/GHSA-g66q-grxc-64j3
