Dejan Bosanac

#20057of 53,633
12.9Total CVSS
Vulnerabilities · 3
Medium
3
PT-2014-2512
4.3
2014-02-05
Apache · Apache Activemq · CVE-2013-1880
**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions prior to 5.9.0 **Description** A cross-site scripting (XSS) issue exists in the Portfolio publisher servlet within the demo web application. This allows remote attackers to inject arbitrary web script or HTML via the `refresh` parameter to the "demo/portfolioPublish" API endpoint. **Recommendations** For Apache ActiveMQ versions prior to 5.9.0, update to version 5.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the demo web application or disabling the Portfolio publisher servlet until a patch is applied. Avoid using the `refresh` parameter in the affected API endpoint until the issue is resolved.
PT-2013-3448
4.3
2013-07-18
Apache · Apache Activemq · CVE-2013-1879
**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions 5.8.0 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message." This could potentially lead to unauthorized actions on the web application. **Recommendations** For Apache ActiveMQ versions 5.8.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2013-1884
4.3
2013-04-21
Apache · Apache Activemq · CVE-2012-6092
**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions prior to 5.8.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various vectors, including the `refresh` parameter to `PortfolioPublishServlet.java`, debug logs, or subscribe messages in `webapp/websocket/chat.js`. **Recommendations** For versions prior to 5.8.0, update to version 5.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `PortfolioPublishServlet.java` and `webapp/websocket/chat.js` components to minimize the risk of exploitation. Avoid using the `refresh` parameter in the affected API endpoint until the issue is resolved.