Main Vulnerability Database Vulnerabilities #VU31798

#VU31798 Stored cross-site scripting in ActiveMQ Artemis - CVE-2020-13932

Published: July 24, 2020

Vulnerability identifier: #VU31798

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2020-13932

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ActiveMQ Artemis

Software vendor:
Apache Foundation

Description

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated user can send a specially crafted MQTT packet which has an XSS payload as client-id or topic name and execute arbitrary HTML and script code in administrator's browser in context of vulnerable website, as the code execution is triggered via the diagram plugin, queue node and the info section in the admin console.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install updates from vendor's website.

#VU31798 Stored cross-site scripting in ActiveMQ Artemis - CVE-2020-13932

Description

Remediation

External links

Please verify you're human