CVE-2020-13821

Name of the Vulnerable Software and Affected Versions HiveMQ Broker Control Center version 4.3.2

Description An issue was discovered where a crafted clientid parameter in an MQTT packet sent to the Broker is reflected in the client section of the management console. This reflection can lead to the loading of an attacker's JavaScript in a browser, potentially resulting in the theft of the session and cookie of the administrator's account of the Broker.

Recommendations For HiveMQ Broker Control Center version 4.3.2, consider restricting access to the management console to minimize the risk of exploitation. As a temporary workaround, avoid using the clientid parameter in MQTT packets until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.