Vishal Shukla

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5 Apache ActiveMQ Web versions prior to 5.19.7 Apache ActiveMQ Web versions 6.0.0 through 6.2.5 **Description** An improper neutralization of input during web page generation allows for Cross-site Scripting (XSS). The `MessageServlet` in the ActiveMQ web console API copies every JMS message property into an HTTP response header without validation. This allows an attacker to overwrite and inject security headers by setting them on JMS messages returned by the servlet. **Recommendations** Upgrade to version 5.19.7. Upgrade to version 6.2.6. As a temporary mitigation, disable the `MessageServlet` function.