BID:105156

Apache ActiveMQ 'QueueFilter' Parameter Cross Site Scripting Vulnerability

CVE-2018-8006 |

Info

Apache ActiveMQ 'QueueFilter' Parameter Cross Site Scripting Vulnerability

Bugtraq ID:	105156
Class:	Input Validation Error
CVE:	CVE-2018-8006
Remote:	Yes
Local:	No
Published:	Aug 24 2018 12:00AM
Updated:	Aug 24 2018 12:00AM
Credit:	Bruno Oliveira of Trustwave.
Vulnerable:	Apache ActiveMQ 5.15.3 Apache ActiveMQ 5.15 Apache ActiveMQ 5.14.5 Apache ActiveMQ 5.14.2 Apache ActiveMQ 5.14.1 Apache ActiveMQ 5.6 Apache ActiveMQ 5.5 Apache ActiveMQ 5.9.1 Apache ActiveMQ 5.5.1 Apache ActiveMQ 5.4.3 Apache ActiveMQ 5.4.2 Apache ActiveMQ 5.4.1 Apache ActiveMQ 5.4.0 Apache ActiveMQ 5.3.2 Apache ActiveMQ 5.1.0

Not Vulnerable:	Apache ActiveMQ 5.16 Apache ActiveMQ 5.15.5

Discussion

Apache ActiveMQ 'QueueFilter' Parameter Cross Site Scripting Vulnerability

ActiveMQ is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

References

Apache ActiveMQ 'QueueFilter' Parameter Cross Site Scripting Vulnerability

References:

Apache ActiveMQ Homepage (Apache Software Foundation)
Bug 1622774 - (CVE-2018-8006) CVE-2018-8006 activemq: Cross-site scripting (XSS) (Red Hat Bugzilla)
CVE-2018-8006 (Red Hat Bugzilla)
Queue page on web console displays URL parameter without proper encoding (Apache)
Trustwave SpiderLabs Security Advisory TWSL2018-008 (Trustwave)