- Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- activemq, activemq_web
CVSS 3.1
- Type
- Secondary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- security@apache.org
- CWE-79
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC66E480-8612-46E7-BAA6-EF589D66A4AD",
"versionEndExcluding": "5.19.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74C2B373-AC03-4016-896A-E05B94D63004",
"versionEndExcluding": "6.2.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E4F544-AE77-41DF-8302-04336891E14A",
"versionEndExcluding": "5.19.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9117F314-E9C3-4814-AB86-7BFB5D2E1918",
"versionEndExcluding": "6.2.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]