Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH+vQmMmWe_ghWoob-aKYkBXW5Nfaw30FFfsMBGMT-p4L1-Uqg@mail.gmail.com>
Date: Mon, 20 Jul 2020 17:17:16 +0100
From: Gary Tully <gtully@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-13932 Apache ActiveMQ Artemis - Remote XSS in Web console
 Diagram Plugin

[CVEID]:CVE-2017-5648

Apache ActiveMQ Artemis - Remote XSS in Web console Diagram Plugin

Severity: Medium

Vendor: The Apache Software Foundation

Affected Version: Apache ActiveMQ Artemis 2.5.0 to 2.13.0

Vulnerability details:
A specifically crafted MQTT packet which has an XSS payload as
client-id or topic name can exploit this vulnerability. The XSS
payload is being injected into the admin console's browser. The XSS
payload is triggered in the diagram plugin; queue node and the info
section.

Mitigation:
Upgrade to Apache ActiveMQ Artemis 2.14.0

Credit: This issue was discovered by Arun Magesh from Payatu Software Labs

see:
https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.