Summary
This host is installed with Apache ActiveMQ and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site and obtain sensitive information or cause a denial of service.
Impact Level: Application
Solution
Upgrade to version 5.8.0 or later,
For updates refer to http://activemq.apache.org
Insight
- Flaw is due to an improper sanitation of user supplied input to the webapp/websocket/chat.js and PortfolioPublishServlet.java scripts via 'refresh' and 'subscribe message' parameters
- Flaw is due to the web console not requiring any form of authentication for access.
- Improper sanitation of HTTP request by the sample web applications in the out of box broker when it is enabled.
Affected
Apache ActiveMQ before 5.8.0
References
- http://activemq.apache.org/activemq-580-release.html
- http://www.osvdb.com/92705
- http://www.osvdb.com/92706
- http://www.osvdb.com/92707
- http://www.osvdb.com/92708
- https://issues.apache.org/jira/browse/AMQ-4124
- https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2012-6092, CVE-2012-6551, CVE-2013-3060 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:N/A:P
Related Vulnerabilities
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities
- Apache Archiva Multiple Vulnerabilities
- Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities
- Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability