Apache ActiveMQ 'createDestination.action' HTML Injection Vulnerability

Bugtraq ID:	39119
Class:	Input Validation Error
CVE:	CVE-2010-0684
Remote:	Yes
Local:	No
Published:	Mar 31 2010 12:00AM
Updated:	Feb 02 2016 08:10PM
Credit:	Rajat Swarup
Vulnerable:	Apache Software Foundation Apache ActiveMQ 5.3 Apache Software Foundation Apache ActiveMQ 5.2
Not Vulnerable:	Apache Software Foundation Apache ActiveMQ 5.3.1

Apache ActiveMQ 'createDestination.action' HTML Injection Vulnerability

Apache ActiveMQ is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to Apache ActiveMQ 5.3.1 are vulnerable.

Apache ActiveMQ 'createDestination.action' HTML Injection Vulnerability

Attackers can exploit this issue with a web browser.

Apache ActiveMQ 'createDestination.action' HTML Injection Vulnerability

Solution:
Updates are available. Please see the references for more information.


Apache Software Foundation Apache ActiveMQ 5.2

• Apache Software Foundation apache-activemq-5.3.1-bin.tar.gz
  http://www.apache.org/dyn/closer.cgi?path=%2Factivemq%2Fapache-activem q%2F5.3.1%2Fapache-activemq-5.3.1-bin.tar.gz

Apache Software Foundation Apache ActiveMQ 5.3

• Apache Software Foundation apache-activemq-5.3.1-bin.tar.gz
  http://www.apache.org/dyn/closer.cgi?path=%2Factivemq%2Fapache-activem q%2F5.3.1%2Fapache-activemq-5.3.1-bin.tar.gz

Apache ActiveMQ 'createDestination.action' HTML Injection Vulnerability

References:

• ActiveMQ 5.3.1 Release (Apache Software Foundation)
  
• Apache ActiveMQ Homepage (Apache Software Foundation)
  
• CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS) Vulnerabili (Rajat Swarup)