Miggo Logo

CVE-2020-13932: Cross-site Scripting (XSS) in Apache ActiveMQ Artemis

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.84853%
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.activemq:apache-artemismaven>= 2.5.0, < 2.14.02.14.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch focuses on adding HTML escaping to user-controlled values displayed in the admin console. createDestinationLink is explicitly modified to prevent XSS in queue links, while consumer/queue popup rendering logic shows similar escaping fixes. These functions process MQTT client-ids and topic names identified in the vulnerability description. The high-confidence entry has direct input->output flow visible in the patch; medium entries handle related vulnerable data flows in callback contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** **tiv*MQ *rt*mis *.*.* to *.**.*, * sp**i*lly *r**t** MQTT p**k*t w*i** **s *n XSS p*ylo** *s *li*nt-i* or topi* n*m* **n *xploit t*is vuln*r**ility. T** XSS p*ylo** is **in* inj**t** into t** **min *onsol*'s *rows*r. T** XSS p*ylo** is tri

Reasoning

T** p*t** *o*us*s on ***in* *TML *s**pin* to us*r-*ontroll** v*lu*s *ispl*y** in t** **min *onsol*. `*r**t***stin*tionLink` is *xpli*itly mo*i*i** to pr*v*nt XSS in qu*u* links, w*il* `*onsum*r/qu*u*` popup r*n**rin* lo*i* s*ows simil*r *s**pin* *ix*