CVE-2012-6092

Apache ActiveMQ < 5.8.0 - Cross-Site Scripting via Portfolio Publish Refresh Parameter

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.

References (6)

Core 6
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1029.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/59400
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/AMQ-4115
Various Sources x_refsource_confirm
http://activemq.apache.org/activemq-580-release.html

Scores

EPSS 0.0602
EPSS Percentile 92.5%

Details

CWE
CWE-79
Status published
Products (19)
apache/activemq 4.0 (3 CPE variants)
apache/activemq 4.0.1
apache/activemq 4.0.2
apache/activemq 4.1.0
apache/activemq 4.1.1
apache/activemq 5.0.0
apache/activemq 5.1.0
apache/activemq 5.2.0
apache/activemq 5.3.0
apache/activemq 5.3.1
... and 9 more
Published Apr 21, 2013
Tracked Since Feb 18, 2026