fkie_cve-2020-13932
Vulnerability from fkie_nvd
Published
2020-07-20 22:15
Modified
2024-11-21 05:02
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
References
security@apache.orghttps://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txtVendor Advisory
security@apache.orghttps://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb%40%3Cusers.activemq.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txtVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb%40%3Cusers.activemq.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E
Impacted products
Vendor Product Version
apache activemq_artemis *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9AFDE5C-5B76-4560-B5DD-FF60841EC26D",
              "versionEndIncluding": "2.13.0",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console\u0027s browser. The XSS payload is triggered in the diagram plugin; queue node and the info section."
    },
    {
      "lang": "es",
      "value": "En Apache ActiveMQ Artemis versiones 2.5.0 hasta 2.13.0, un paquete MQTT especialmente dise\u00f1ado que presenta una carga \u00fatil XSS como id del cliente o nombre de tema puede explotar esta vulnerabilidad. La carga \u00fatil de XSS est\u00e1 siendo inyectada en el navegador de la consola de administraci\u00f3n. La carga \u00fatil XSS es activada en el plugin diagram; nodo queue y la secci\u00f3n info"
    }
  ],
  "id": "CVE-2020-13932",
  "lastModified": "2024-11-21T05:02:10.463",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-20T22:15:11.747",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb%40%3Cusers.activemq.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb%40%3Cusers.activemq.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.