CVE-2012-6092
Published: 21 April 2013
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.
Notes
| Author | Note |
|---|---|
| mdeslaur | example code not shipped in Ubuntu/Debian |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
activemq Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Not vulnerable
(code not present)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
| upstream |
Needs triage
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Not vulnerable
(code not present)
|
References
- https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282
- https://issues.apache.org/jira/browse/AMQ-4115
- https://fisheye6.atlassian.com/changelog/activemq?cs=1399577
- http://activemq.apache.org/activemq-580-release.html
- https://www.cve.org/CVERecord?id=CVE-2012-6092
- NVD
- Launchpad
- Debian