6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-13947

GHSA ID

GHSA-66gw-ch5v-74v8

EPSS Score

0.91668%

CWE

CWE-79

Published

2/9/2022

Updated

3/14/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-13947

CVE-2020-13947: Cross-site scripting (XSS) in Apache ActiveMQ

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-13947

GHSA ID

GHSA-66gw-ch5v-74v8

EPSS Score

0.91668%

CWE

CWE-79

Published

2/9/2022

Updated

3/14/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.activemq:activemq-parent	maven	>= 5.16.0, < 5.16.1	5.16.1
org.apache.activemq:activemq-parent	maven	< 5.15.14	5.15.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper output encoding in the URL construction logic. The original code used string concatenation with 'value' (from a dropdown selection) without URI encoding, creating an XSS vector. The patch introduced encodeURIComponent() and JSTL <c:url> tags to properly encode parameters. The function 'confirmAction' was directly responsible for this insecure URL assembly.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n inst*n** o* * *ross-sit* s*riptin* vuln*r**ility w*s i**nti*i** to ** pr*s*nt in t** w** **s** **ministr*tion *onsol* on t** m*ss***.jsp p*** o* *p**** **tiv*MQ v*rsions *.**.** t*rou** *.**.*.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r output *n*o*in* in t** URL *onstru*tion lo*i*. T** ori*in*l *o** us** strin* *on**t*n*tion wit* 'v*lu*' (*rom * *rop*own s*l**tion) wit*out URI *n*o*in*, *r**tin* *n XSS v**tor. T** p*t** intro*u*** `*n*o**URI*

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-13947: Cross-site scripting (XSS) in Apache ActiveMQ

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI