#VU31366 Cross-site scripting in ActiveMQ - CVE-2016-6810
Published: January 10, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31366
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6810
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ActiveMQ
ActiveMQ
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.
Remediation
Install update from vendor's website.
External links
- http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt
- http://www.securityfocus.com/bid/94882
- http://www.securitytracker.com/id/1037475
- https://lists.apache.org/thread.html/924a3a27fad192d711436421e02977ff90d9fc0f298e1efe6757cfbc@%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E