Persistent Cross-site Scripting in /createDesitnation.action [JMSDestination
parameter]
---------------------------------------------------------------------------------------
Key: AMQ-2625
URL: https://issues.apache.org/activemq/browse/AMQ-2625
Project: ActiveMQ
Issue Type: Bug
Affects Versions: 5.3.0
Environment: Linux environment.
Reporter: Rajat Swarup
Assignee: Dejan Bosanac
Priority: Critical
Fix For: 5.3.1, 5.4.0
GET
/createDestination.action?JMSDestinationType=queue&JMSDestination=%22%3E%3Cscript%3Ealert%28%22persistent%20XSS%22%29%3C%2fscript%3E
This GET request creates a queue name that has malformed queue name due to lack
of input validation. After sending this request a sample of the effect can be
seen by browsing to /queues.jsp and clicking on the "Home" link.
I do not know the affected version information yet. Is there some way I can
find it?
Additionally, this is vulnerable to cross-site request forgery as well but XSS
is a more critical bug than XSRF (at least at this point for me I guess).
----
CVE Identifier issued for this:
CVE-2010-0684
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
