PT-2020-13788 · Apache · Apache Activemq Artemis

Arun Magesh

Published

2020-07-20

Updated

2026-06-15

CVE-2020-13932

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Artemis versions 2.5.0 through 2.13.0

Description A specially crafted MQTT packet with an XSS payload as client-id or topic name can exploit this issue. The XSS payload is injected into the admin console's browser and is triggered in the diagram plugin, specifically in the queue node and the info section.

Recommendations For Apache ActiveMQ Artemis versions 2.5.0 through 2.13.0, consider disabling the diagram plugin as a temporary workaround until a patch is available. Restrict access to the admin console to minimize the risk of exploitation. Avoid using XSS payloads in client-id or topic name to prevent triggering the issue.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-13932

GHSA-3H2H-XQR2-2JP7

Affected Products

Apache Activemq Artemis

PT-2020-13788 · Apache · Apache Activemq Artemis

CVE-2020-13932

Weakness Enumeration

Related Identifiers

Affected Products

References · 11