Cross-site scripting in ActiveMQ - CVE-2016-6810
Published: January 10, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31366
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6810
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
ActiveMQ
ActiveMQ
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.
How to mitigate CVE-2016-6810
Install update from vendor's website.
Sources
- http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt
- http://www.securityfocus.com/bid/94882
- http://www.securitytracker.com/id/1037475
- https://lists.apache.org/thread.html/924a3a27fad192d711436421e02977ff90d9fc0f298e1efe6757cfbc@%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E