Miggo Logo

CVE-2020-13947: Cross-site scripting (XSS) in Apache ActiveMQ

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.91668%
Published
2/9/2022
Updated
3/14/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.activemq:activemq-parentmaven>= 5.16.0, < 5.16.15.16.1
org.apache.activemq:activemq-parentmaven< 5.15.145.15.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper output encoding in the URL construction logic. The original code used string concatenation with 'value' (from a dropdown selection) without URI encoding, creating an XSS vector. The patch introduced encodeURIComponent() and JSTL <c:url> tags to properly encode parameters. The function 'confirmAction' was directly responsible for this insecure URL assembly.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n inst*n** o* * *ross-sit* s*riptin* vuln*r**ility w*s i**nti*i** to ** pr*s*nt in t** w** **s** **ministr*tion *onsol* on t** m*ss***.jsp p*** o* *p**** **tiv*MQ v*rsions *.**.** t*rou** *.**.*.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r output *n*o*in* in t** URL *onstru*tion lo*i*. T** ori*in*l *o** us** strin* *on**t*n*tion wit* 'v*lu*' (*rom * *rop*own s*l**tion) wit*out URI *n*o*in*, *r**tin* *n XSS v**tor. T** p*t** intro*u*** `*n*o**URI*