CVE-2020-13932: XSS
First published: Mon Jul 20 2020(Updated: )
A flaw was found in activemq. A specifically crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Apache ActiveMQ Artemis | <2.14.0 | 2.14.0 |
| Apache ActiveMQ Artemis | >=2.5.0<=2.13.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-13932 https://nvd.nist.gov/vuln/detail/CVE-2020-13932
- https://bugzilla.redhat.com/show_bug.cgi?id=1858946
- https://access.redhat.com/errata/RHSA-2020:5365
- https://access.redhat.com/security/cve/cve-2020-13932
- https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
- https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
Frequently Asked Questions
What is CVE-2020-13932?
CVE-2020-13932 is a vulnerability found in Apache ActiveMQ Artemis. A specially crafted MQTT packet with an XSS payload can exploit this vulnerability.
What is the severity of CVE-2020-13932?
The severity of CVE-2020-13932 is medium, with a CVSS severity score of 6.5.
How can CVE-2020-13932 be exploited?
CVE-2020-13932 can be exploited by sending a specially crafted MQTT packet with an XSS payload as the client-id or topic name.
How can I fix CVE-2020-13932?
To fix CVE-2020-13932, update Apache ActiveMQ Artemis to version 2.14.0.
What is the Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability?
The Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability is CVE-2020-13932.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-13932
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache activemq artemis
- version/apache activemq artemis/2.5.0
- version/apache activemq artemis/2.13.0
- package-manager/redhat