JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.
{ "nvd_published_at": "2018-06-14T23:29:00Z", "github_reviewed_at": "2022-06-29T22:50:12Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }