CVE-2012-6092
Apache ActiveMQ < 5.8.0 - Cross-Site Scripting via Portfolio Publish Refresh Parameter
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.
References (6)
Core 6
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1029.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/59400
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/AMQ-4115
Various Sources x_refsource_confirm
https://fisheye6.atlassian.com/changelog/activemq?cs=1399577
Various Sources x_refsource_confirm
http://activemq.apache.org/activemq-580-release.html
Various Sources x_refsource_confirm
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282
Scores
EPSS
0.0602
EPSS Percentile
92.5%
Details
CWE
CWE-79
Status
published
Products (19)
apache/activemq
4.0 (3 CPE variants)
apache/activemq
4.0.1
apache/activemq
4.0.2
apache/activemq
4.1.0
apache/activemq
4.1.1
apache/activemq
5.0.0
apache/activemq
5.1.0
apache/activemq
5.2.0
apache/activemq
5.3.0
apache/activemq
5.3.1
... and 9 more
Published
Apr 21, 2013
Tracked Since
Feb 18, 2026