CVE-2020-13932: Cross-site Scripting (XSS) in Apache ActiveMQ Artemis
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84853%
CWE
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.activemq:apache-artemis | maven | >= 2.5.0, < 2.14.0 | 2.14.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The patch focuses on adding HTML escaping to user-controlled values displayed in the admin console. createDestinationLink
is explicitly modified to prevent XSS in queue links, while consumer/queue
popup rendering logic shows similar escaping fixes. These functions process
MQTT client-ids and topic names identified in the vulnerability description. The high-confidence entry has direct input->output flow visible in the patch; medium entries handle related vulnerable data flows in callback contexts.