Skip to main content

Activemq CVE-2020-1941

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-05-14 security@apache.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 14, 2020 - 17:15 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-web-console (2 direct, 4 indirect)

Ecosystem-wide dependent count for version 5.0.0.

DescriptionNVD

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.

AnalysisAI

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. Affected products include: Apache Activemq, Oracle Communications Diameter Signaling Router, Oracle Communications Element Manager, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2015-1830 MEDIUM POC
5.0 Aug 19

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5

CVE-2015-5254 CRITICAL
9.8 Jan 08

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remot

CVE-2023-46604 CRITICAL POC
9.8 Oct 27

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. Rated critical severity (CVSS 9.8), this v

CVE-2014-3576 HIGH
7.5 Aug 14

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote att

CVE-2021-21345 CRITICAL POC
9.9 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.9), this vulnerabi

CVE-2021-21350 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21347 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21346 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21344 CRITICAL POC
9.8 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2021-21351 CRITICAL POC
9.1 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2021-21342 CRITICAL POC
9.1 Mar 23

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2024-32114 HIGH POC
8.8 May 02

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and

Share

CVE-2020-1941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy