CVE-2018-8006: XSS
First published: Wed Oct 10 2018(Updated: )
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
| Apache ActiveMQ | >=5.0.0<=5.15.5 | |
| maven/org.apache.activemq:activemq-web-console | >=5.0.0<5.15.6 | 5.15.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/148808
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- http://activemq.apache.org/security-advisories.data/CVE-2018-8006-announcement.txt
- http://www.securityfocus.com/bid/105156
- https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1@%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/3f1e41bc9153936e065ca3094bd89ff8167ad2d39ac0b410f24382d2@%3Cgitbox.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/c0ec53b72b3240b187afb1cf67e4309a9e5f607282010aa196734814@%3Cgitbox.activemq.apache.org%3E
- https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b@%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d@%3Ccommits.activemq.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2018-8006
- https://github.com/apache/activemq/commit/2373aa1
- https://github.com/apache/activemq/commit/d8c80a98212ee5d73a281483a2f8b3f517465f62
- https://issues.apache.org/jira/browse/AMQ-6954
- https://web.archive.org/web/20200227115717/http://www.securityfocus.com/bid/105156
- https://github.com/advisories/GHSA-hvwm-2624-rp9x (Advisory)
- https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1%40%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/3f1e41bc9153936e065ca3094bd89ff8167ad2d39ac0b410f24382d2%40%3Cgitbox.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/c0ec53b72b3240b187afb1cf67e4309a9e5f607282010aa196734814%40%3Cgitbox.activemq.apache.org%3E
- https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b%40%3Cdev.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d%40%3Ccommits.activemq.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2018-8006?
The severity of CVE-2018-8006 is medium, with a severity value of 6.1.
How does CVE-2018-8006 affect Apache ActiveMQ?
CVE-2018-8006 affects Apache ActiveMQ versions 5.0.0 to 5.15.5, allowing remote attackers to execute script in a victim's web browser.
How does CVE-2018-8006 affect IBM Security Directory Suite VA?
CVE-2018-8006 affects IBM Security Directory Suite VA version 8.0.1-8.0.1.19, allowing remote attackers to execute script in a victim's web browser.
How can I fix CVE-2018-8006 in Apache ActiveMQ?
To fix CVE-2018-8006 in Apache ActiveMQ, update to a version that is not vulnerable.
How can I fix CVE-2018-8006 in IBM Security Directory Suite VA?
To fix CVE-2018-8006 in IBM Security Directory Suite VA, apply the necessary security patch or update provided by IBM.
- collector/nvd-index
- agent/type
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hvwm-2624-rp9x
- alias/CVE-2018-8006
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/description
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- agent/references
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/apache
- canonical/apache activemq
- version/apache activemq/5.0.0
- version/apache activemq/5.15.5
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19