Vulnerability CVE-2016-0782


Published: 2016-08-05   Modified: 2017-09-06

Description:
The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue.

Vendor: Apache
Product: Activemq 
Version:
5.9.1
5.9.0
5.8.0
5.7.0
5.6.0
5.5.1
5.5.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.2
5.3.1
5.3.0
5.2.0
5.13.1
5.13.0
5.12.2
5.12.1
5.12.0
5.11.3
5.11.2
5.11.1
5.11.0
5.10.2
5.10.1
5.10.0
5.1.0

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt
http://packetstormsecurity.com/files/136215/Apache-ActiveMQ-5.13.0-Cross-Site-Scripting.html
http://www.securityfocus.com/archive/1/archive/1/537760/100/0/threaded
http://www.securitytracker.com/id/1035328
https://access.redhat.com/errata/RHSA-2016:1424
https://bugzilla.redhat.com/show_bug.cgi?id=1317516

Related CVE
CVE-2014-0115
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
CVE-2014-3624
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
CVE-2016-5002
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
CVE-2016-5003
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
CVE-2015-1835
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.
CVE-2014-3600
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
CVE-2014-3579
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
CVE-2012-1622
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.

Copyright 2017, cxsecurity.com

 

Back to Top