CVE-2015-0862

Name of the Vulnerable Software and Affected Versions RabbitMQ management plugin versions prior to 3.4.3

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the management web UI of the RabbitMQ management plugin. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via various means, including message details such as headers or arguments when a message is unqueued, policy names when viewing policies, and details for AMQP network clients such as the version. Additionally, remote authenticated administrators can inject arbitrary web script or HTML via user names or the cluster name. RabbitMQ cluster administrators can also modify unspecified content.

Recommendations For versions prior to 3.4.3, update to version 3.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the management web UI to minimize the risk of exploitation. Avoid using the vulnerable features, such as viewing message details, policy names, or user names, in the management web UI until the issue is resolved.