Miggo Logo
Miggo Vulnerability Database
CVE-2010-0684

CVE-2010-0684: Cross-site scripting in Apache ActiveMQ

3.5

CVSS Score

Basic Information

CVE ID
CVE-2010-0684
GHSA ID
GHSA-mxf7-pv8q-294h
EPSS Score
0.51722%
CWE
CWE-79
Published
5/2/2022
Updated
2/21/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:S/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.activemq:activemq-parentmaven< 5.3.15.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The CreateDestination controller accepted arbitrary JMSDestination values via GET requests without validation() or encoding. 2) The queues.jsp template directly embedded unescaped JMSDestination parameter values into HTML responses. The patches added HTTP method restrictions (POST only), CSRF tokens, and proper output encoding using <c:out>, confirming the original vulnerability locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in *r**t***stin*tion.**tion in *p**** **tiv*MQ ***or* *.*.* *llows r*mot* *ut**nti**t** us*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** JMS**stin*tion p*r*m*t*r in * qu*u* **tion.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** `*r**t***stin*tion` *ontroll*r ****pt** *r*itr*ry `JMS**stin*tion` v*lu*s vi* **T r*qu*sts wit*out `v*li**tion()` or *n*o*in*. *) T** `qu*u*s.jsp` t*mpl*t* *ir**tly *m****** un*s**p** `JMS**stin*tio