Apache ActiveMQ and ActiveMQ Web Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Apache ActiveMQ and Apache ActiveMQ Web. This issue allows authenticated attackers to inject malicious HTML content into a JMS selector field, which is then rendered in the web console. The vulnerability arises from improper handling of script-related HTML tags, enabling the injection of HTML when the content type is incorrectly set to HTML instead of XML. This issue affects Apache ActiveMQ versions prior to 5.19.6 and 6.0.0 versions prior to 6.2.5, as well as Apache ActiveMQ Web versions prior to 5.19.6 and 6.0.0 versions prior to 6.2.5.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected HTML is executed in the context of the user's browser.

Remediation

Users are advised to upgrade to Apache ActiveMQ version 6.2.5 or 5.19.6, both of which address this vulnerability. For Apache ActiveMQ Web, the same version recommendations apply.