CVE-2012-6092

Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://activemq.apache.org/activemq-580-release.html
http://rhn.redhat.com/errata/RHSA-2013-1029.html
http://www.securityfocus.com/bid/59400
https://fisheye6.atlassian.com/changelog/activemq?cs=1399577
https://issues.apache.org/jira/browse/AMQ-4115
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:activemq::::::::
	cpe:2.3:a:apache:activemq:4.0:::::::*
	cpe:2.3:a:apache:activemq:4.0:m4::::::
	cpe:2.3:a:apache:activemq:4.0:rc2::::::
	cpe:2.3:a:apache:activemq:4.0.1:::::::*
	cpe:2.3:a:apache:activemq:4.0.2:::::::*
	cpe:2.3:a:apache:activemq:4.1.0:::::::*
	cpe:2.3:a:apache:activemq:4.1.1:::::::*
	cpe:2.3:a:apache:activemq:5.0.0:::::::*
	cpe:2.3:a:apache:activemq:5.1.0:::::::*
	cpe:2.3:a:apache:activemq:5.2.0:::::::*
	cpe:2.3:a:apache:activemq:5.3.0:::::::*
	cpe:2.3:a:apache:activemq:5.3.1:::::::*
	cpe:2.3:a:apache:activemq:5.3.2:::::::*
	cpe:2.3:a:apache:activemq:5.4.0:::::::*
	cpe:2.3:a:apache:activemq:5.4.1:::::::*
	cpe:2.3:a:apache:activemq:5.4.2:::::::*
	cpe:2.3:a:apache:activemq:5.5.0:::::::*
	cpe:2.3:a:apache:activemq:5.5.1:::::::*
	cpe:2.3:a:apache:activemq:5.6.0:::::::*

History

No history.

Information

Published : 2013-04-21 21:55

Updated : 2024-02-04 18:16

NVD link : CVE-2012-6092

Mitre link : CVE-2012-6092

CVE.ORG link : CVE-2012-6092

JSON object : View

Products Affected

apache

activemq

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2012-6092", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-04-21T21:55:01.083", "references": [{"url": "http://activemq.apache.org/activemq-580-release.html", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html", "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/59400", "source": "secalert@redhat.com"}, {"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1399577", "source": "secalert@redhat.com"}, {"url": "https://issues.apache.org/jira/browse/AMQ-4115", "source": "secalert@redhat.com"}, {"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en la web de ejemplo en Apache ActiveMQ anterior a v5.8.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro (1) refresh en PortfolioPublishServlet.java (tambi\u00e9n conocido como demo/portfolioPublish o Market Data Publisher), o vectores relacionados con (2) logs de depuraci\u00f3n, o (3) mensajes de suscripci\u00f3n en webapp/websocket/chat.js. NOTA: AMQ-4124 est\u00e1 cubierto por CVE-2012-6551."}], "lastModified": "2023-11-07T02:12:45.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA0C6D29-FFCF-4D59-A2D3-2C226F3F679A", "versionEndIncluding": "5.7.0"}, {"criteria": "cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA1D17FC-EE96-4E59-A655-541DD4C01822"}, {"criteria": "cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5CCD470-62EA-4E53-80BA-D92E74298577"}, {"criteria": "cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01145606-6FD6-482F-9F76-4D9C7E452E2F"}, {"criteria": "cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B741D677-63F9-4B31-8E68-3084815F9BF6"}, {"criteria": "cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF5D8AFE-B431-482E-892E-C038A96D5FEA"}, {"criteria": "cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCC189C2-95A8-4CA0-8FEF-39857F079425"}, {"criteria": "cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B850F6F-0605-411F-9A98-4B8147DEAD3A"}, {"criteria": "cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "436F59B9-507A-4B4E-A9F3-022616866151"}, {"criteria": "cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F58D9E69-CBF2-4FB6-B062-ED21F83CBCCB"}, {"criteria": "cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05D6EC30-88DC-4424-BF86-D9C0DA5E191C"}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82ACD6BA-257F-49D0-8944-0991FB038533"}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C43FD7A1-FC03-47BC-B6C6-02C0F1466762"}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7A8D571-2925-4F61-B3F0-8F4A3776F6EA"}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47B31CD9-A3BB-427C-A631-2E8168DD1985"}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B904806-6796-4947-BDF4-EEA5681147E8"}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61B4A1EE-7F62-4602-A102-8AD8E9FD528F"}, {"criteria": "cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "623530FC-12E9-480B-AFA0-C19FCFFA5D36"}, {"criteria": "cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5755A41-0DBE-4F54-A1C1-4F65DCC6ACD2"}, {"criteria": "cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11AADFBF-AC60-4535-892C-BE90BE858172"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}