CVE-2012-6092

Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://issues.apache.org/jira/browse/AMQ-4115
https://fisheye6.atlassian.com/changelog/activemq?cs=1399577
http://activemq.apache.org/activemq-580-release.html
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282
http://rhn.redhat.com/errata/RHSA-2013-1029.html
http://www.securityfocus.com/bid/59400

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:activemq:5.3.0:::::::*
	cpe:2.3:a:apache:activemq:4.1.0:::::::*
	cpe:2.3:a:apache:activemq:5.4.0:::::::*
	cpe:2.3:a:apache:activemq:5.5.1:::::::*
	cpe:2.3:a:apache:activemq:5.4.1:::::::*
	cpe:2.3:a:apache:activemq:5.3.1:::::::*
	cpe:2.3:a:apache:activemq:5.2.0:::::::*
	cpe:2.3:a:apache:activemq:5.0.0:::::::*
	cpe:2.3:a:apache:activemq:4.0:::::::*
	cpe:2.3:a:apache:activemq:4.0.2:::::::*
	cpe:2.3:a:apache:activemq::::::::
	cpe:2.3:a:apache:activemq:4.0.1:::::::*
	cpe:2.3:a:apache:activemq:5.1.0:::::::*
	cpe:2.3:a:apache:activemq:5.5.0:::::::*
	cpe:2.3:a:apache:activemq:4.0:rc2::::::
	cpe:2.3:a:apache:activemq:5.3.2:::::::*
	cpe:2.3:a:apache:activemq:4.1.1:::::::*
	cpe:2.3:a:apache:activemq:4.0:m4::::::
	cpe:2.3:a:apache:activemq:5.6.0:::::::*
	cpe:2.3:a:apache:activemq:5.4.2:::::::*

Information

Published : 2013-04-21 14:55

Updated : 2023-02-12 16:27

NVD link : CVE-2012-6092

Mitre link : CVE-2012-6092

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

apache

activemq

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://issues.apache.org/jira/browse/AMQ-4115", "name": "https://issues.apache.org/jira/browse/AMQ-4115", "tags": [], "refsource": "CONFIRM"}, {"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1399577", "name": "https://fisheye6.atlassian.com/changelog/activemq?cs=1399577", "tags": [], "refsource": "CONFIRM"}, {"url": "http://activemq.apache.org/activemq-580-release.html", "name": "http://activemq.apache.org/activemq-580-release.html", "tags": [], "refsource": "CONFIRM"}, {"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282", "name": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282", "tags": [], "refsource": "CONFIRM"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html", "name": "RHSA-2013:1029", "tags": [], "refsource": "REDHAT"}, {"url": "http://www.securityfocus.com/bid/59400", "name": "59400", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-6092", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2013-04-21T21:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.7.0"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T00:27Z"}

4.3 /10