Remote Cross-Site Scripting in Apache ActiveMQ Artemis
CVE-2020-13932

6.1MEDIUM

Key Information:

Vendor
Apache
Status
Apache ActiveMQ Artemis
Vendor
CVE Published:
20 July 2020

Summary

A vulnerability within Apache ActiveMQ Artemis versions 2.5.0 to 2.13.0 allows an attacker to execute remote cross-site scripting (XSS) attacks via specially crafted MQTT packets. These packets can include malicious scripts in the client-id or topic name, which upon processing trigger an injection into the admin console's browser. This exploitation specifically affects the diagram plugin and the info section of queue nodes, posing a security risk to users accessing the web console.

Affected Version(s)

Apache ActiveMQ Artemis Apache ActiveMQ Artemis 2.5.0 to 2.13.0

References

https://activemq.apache.org/security-advisories.data/CVE-...
x_refsource_MISC
https://lists.apache.org/thread.html/r7fcedcc89e5f296b174...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc96ad63f148f784c84e...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.