5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-0782

GHSA ID

GHSA-8rcq-p4gh-vmj8

EPSS Score

0.80706%

CWE

CWE-79

Published

5/14/2022

Updated

3/14/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-0782

CVE-2016-0782: Improper Neutralization of Input During Web Page Generation in Apache ActiveMQ

The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue.

(GitHub Advisory)

5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-0782

GHSA ID

GHSA-8rcq-p4gh-vmj8

EPSS Score

0.80706%

CWE

CWE-79

Published

5/14/2022

Updated

3/14/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.activemq:activemq-client	maven	>= 5.0.0, <= 5.11.3	5.11.4
org.apache.activemq:activemq-client	maven	>= 5.12.0, <= 5.12.2	5.12.3
org.apache.activemq:activemq-client	maven	>= 5.13.0, <= 5.13.1	5.13.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues:

XSS in queue handling: The admin console's JSP files failed to properly sanitize user-controlled queue names before rendering them in HTML, as evidenced by the CWE-79 classification and attack vector description.
Jolokia misconfiguration: The web.xml configuration for Jolokia (AgentServlet) initially allowed error details and discovery, which combined with XSS could lead to memory dump retrieval. This is confirmed by the patching commits (0c9fdb5, 2061186) that disabled these features and upgraded Jolokia.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **ministr*tion w** *onsol* in *p**** **tiv*MQ *.x ***or* *.**.*, *.**.x ***or* *.**.*, *n* *.**.x ***or* *.**.* *llows r*mot* *ut**nti**t** us*rs to *on*u*t *ross-sit* s*riptin* (XSS) *tt**ks *n* *ons*qu*ntly o*t*in s*nsitiv* in*orm*tion *rom * J

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *. XSS in qu*u* **n*lin*: T** **min *onsol*'s JSP *il*s **il** to prop*rly s*nitiz* us*r-*ontroll** qu*u* n*m*s ***or* r*n**rin* t**m in *TML, *s *vi**n*** *y t** *W*-** *l*ssi*i**tion *n* *tt**k v**tor **

5.4

Basic Information

Concerned about an active attack path?

CVE-2016-0782: Improper Neutralization of Input During Web Page Generation in Apache ActiveMQ

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI