Apache ActiveMQ and Apache ActiveMQ Web Cross-Site Scripting Vulnerability via HTTP Response Header Injection

A cross-site scripting vulnerability has been identified in Apache ActiveMQ and Apache ActiveMQ Web. The issue arises in the MessageServlet of the ActiveMQ web console API, which improperly neutralizes input during web page generation. Specifically, the servlet copies all JMS message properties into HTTP response headers without validation. This flaw can be exploited to overwrite and inject security headers by manipulating JMS messages returned by the servlet. The vulnerability affects Apache ActiveMQ versions prior to 5.19.7 and 6.0.0 versions prior to 6.2.6, as well as Apache ActiveMQ Web versions prior to 5.19.7 and 6.0.0 versions prior to 6.2.6.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks by injecting malicious scripts into HTTP response headers, which could be executed by the user's browser.

Remediation

Users are advised to upgrade to Apache ActiveMQ version 5.19.7 or 6.2.6, both of which address this vulnerability. The MessageServlet has also been deprecated and disabled by default.