CVE-2012-6092

Apache Activemq < 5.7.0 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.

References (6)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-1029.html

[Various Sources] http://activemq.apache.org/activemq-580-release.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/59400

[Various Sources] https://fisheye6.atlassian.com/changelog/activemq?cs=1399577

[Various Sources] https://issues.apache.org/jira/browse/AMQ-4115

[Various Sources] https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282

Scores

EPSS 0.0257

EPSS Percentile 85.4%

Details

CWE

CWE-79

Status published

Products (22)

apache/activemq < 5.7.0

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

... and 12 more

Published Apr 21, 2013

Tracked Since Feb 18, 2026