CVE-2020-13932 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-13932 PUBLISHED

Reported by apache · Published July 20, 2020

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.

Affected Products

Vendor	Product	Versions
n/a	Apache ActiveMQ Artemis	Apache ActiveMQ Artemis 2.5.0 to 2.13.0
n/a	Apache ActiveMQ Artemis	Apache ActiveMQ Artemis 2.5.0 to 2.13.0, Apache ActiveMQ Artemis 2.5.0 to 2.13.0
Maven	org.apache.activemq:apache-artemis	2.5.0, 2.5.0

Timeline

Jul 20, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Jan 2, 2023 EPSS Score

References

x_refsource_MISC
[activemq-users] 20200721 Re: [ANNOUNCE] CVE-2020-13932 Apache ActiveMQ Artemis - Remote XSS in Web console Diagram Plugin mailing-listx_refsource_MLIST
[activemq-commits] 20210127 [activemq-website] branch master updated: Publish CVE-2021-26118 mailing-listx_refsource_MLIST
[activemq-commits] 20210127 [activemq-website] branch master updated: Publish CVE-2021-26117 mailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2020-13932 advisory
https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3E url
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E url
https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088@%3Ccommits.activemq.apache.org%3E url
https://github.com/advisories/GHSA-3h2h-xqr2-2jp7 advisory

Open in Interactive Console →