Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: bt-30060.htm

Apache ActiveMQ XSS Vulnerability



Apache ActiveMQ XSS Vulnerability
Apache ActiveMQ XSS Vulnerability



Vulnerability Info:=0D
=0D
26/04/2010 Issue Discovered              26/04/2010 Vendor Notified=0D
=0D
27/04/2010 Vendor Conformed              Class: Cross-Site Scripting (Input validation)=0D
=0D
=0D
Severity: Medium=0D
=0D
Overview:=0D
---------=0D
Apache ActiveMQ is prone to cross-site scripting vulnerability.=0D
=0D
Technical Description:=0D
----------------------=0D
The issue is caused due to the problem in Jetty's error handler that doesn't escape the message.=0D
=0D
Impact:=0D
--------=0D
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.=0D
=0D
Affected Software:=0D
------------------=0D
Apache ActiveMQ 5.3.x versrions are affected with this issue.=0D
=0D
Not Affected Software:=0D
----------------------=0D
Apache ActiveMQ 5.4-SNAPSHOT=0D
=0D
=0D
Proof of Concept:=0D
-----------------=0D
=0D">http://localhost:8161/admin/ueueBrowse/example.A?view=rss&feedType==0D 
=0D
Workaround:=0D
-----------=0D
https://issues.apache.org/activemq/browse/AMQ-2714=0D
=0D
CVSS Score Report:=0D
            ACCESS_VECTOR          = NETWORK=0D
            ACCESS_COMPLEXITY      = Medium=0D
            AUTHENTICATION         = NOT REQUIRED=0D
            CONFIDENTIALITY_IMPACT = PARTIAL=0D
            INTEGRITY_IMPACT       = PARTIAL=0D
            AVAILABILITY_IMPACT    = NONE=0D
            EXPLOITABILITY         = PROOF_OF_CONCEPT=0D
            REMEDIATION_LEVEL      = WORKAROUND=0D
            REPORT_CONFIDENCE      = CONFIRMED=0D
            CVSS Base Score        = 5.8 (AV:N/AC:L/Au:NR/C:P/I:P/A:N)=0D
            CVSS Temporal Score    = 4.9=0D
=0D
=0D
Credits:=0D
--------=0D
Arun Kethipelly of Qualys, Inc


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH