6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-13932

GHSA ID

GHSA-3h2h-xqr2-2jp7

EPSS Score

0.84853%

CWE

CWE-79

Published

2/9/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-13932

CVE-2020-13932: Cross-site Scripting (XSS) in Apache ActiveMQ Artemis

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-13932

GHSA ID

GHSA-3h2h-xqr2-2jp7

EPSS Score

0.84853%

CWE

CWE-79

Published

2/9/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.activemq:apache-artemis	maven	>= 2.5.0, < 2.14.0	2.14.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The patch focuses on adding HTML escaping to user-controlled values displayed in the admin console. createDestinationLink is explicitly modified to prevent XSS in queue links, while consumer/queue popup rendering logic shows similar escaping fixes. These functions process MQTT client-ids and topic names identified in the vulnerability description. The high-confidence entry has direct input->output flow visible in the patch; medium entries handle related vulnerable data flows in callback contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** **tiv*MQ *rt*mis *.*.* to *.**.*, * sp**i*lly *r**t** MQTT p**k*t w*i** **s *n XSS p*ylo** *s *li*nt-i* or topi* n*m* **n *xploit t*is vuln*r**ility. T** XSS p*ylo** is **in* inj**t** into t** **min *onsol*'s *rows*r. T** XSS p*ylo** is tri

Reasoning

T** p*t** *o*us*s on ***in* *TML *s**pin* to us*r-*ontroll** v*lu*s *ispl*y** in t** **min *onsol*. `*r**t***stin*tionLink` is *xpli*itly mo*i*i** to pr*v*nt XSS in qu*u* links, w*il* `*onsum*r/qu*u*` popup r*n**rin* lo*i* s*ows simil*r *s**pin* *ix*

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-13932: Cross-site Scripting (XSS) in Apache ActiveMQ Artemis

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI