Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Apache ActiveMQ Vendors:   Apache Software Foundation
Apache ActiveMQ Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1023778
SecurityTracker URL:
CVE Reference:   CVE-2010-0684   (Links to External Site)
Date:  Mar 31 2010
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 5.3.1
Description:   A vulnerability was reported in ActiveMQ. A remote user can conduct cross-site scripting attacks.

The '/createDestination.action' page does not properly filter HTML code from user-supplied input in the JMSDestination parameter before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ActiveMQ software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:


After this request has been sent by the remote user, a target user visiting the following URL will have the 'XSS_PAYLOAD' scripting code executed on their system.

The vendor was notified on February 17, 2010.

Rajat Swarup reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ActiveMQ software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (5.3.1).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS) Vulnerability

CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS)

Security Advisory 03.30.2010


Apache ActiveMQ  is the most popular and powerful open source
messaging and Integration Patterns provider.


Remote unauthenticated exploitation of an input validation
vulnerability in Apache Software Foundation's ActiveMQ server could
allow an attacker to perform a
stored or persistent cross-site scripting (XSS) attack.  The code
responsible for parsing HTTP requests is vulnerable to an XSS
vulnerability. When parsing the JMSDestination parameter from a GET
request to /createDestination.action page, the value of this variable
is directly inserted into the HTML code that can be accessed by using
URLs such as /queues.jsp. This allows an attacker to run arbitrary
JavaScript in the context of the affected domain of the ActiveMQ
administration console.


Successful exploitation of this vulnerability allows an attacker to
conduct an XSS attack on a user. This could allow an attacker to steal
cookies, inject content into pages, or submit requests using the
user's credentials.  To exploit this vulnerability, an attacker must
send malicious request to the vulnerable Active MQ server such as the
following request:[XSS_PAYLOAD]
Once this request is sent, anyone accessing the ActiveMQ queues would
have the XSS payload executed in the context of the browser session
being used to browse using a URL such as:


The author and Apache Software Foundation's ActiveMQ group has
confirmed this vulnerability.


The author is currently unaware of any workaround for this issue but
fix has been released by the vendor.


The Apache Software Foundation ActiveMQ team has addressed this
vulnerability by releasing version 5.3.1 of ActiveMQ.
More information can be found at the following URL.


The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2010-0684 to this issue. This is a candidate for
inclusion in the CVE list (, which standardizes
names for security problems.


02/17/2010  Initial vendor notification
02/17/2010  Initial vendor response
02/23/2010  Vendor Fix committed to SVN
03/24/2010  ActiveMQ 5.3.1 publicly released to fix the issue
03/30/2010  Coordinated public disclosure


This vulnerability was reported by Rajat Swarup (


The author wishes to thank Rob Davies and Dejan Bosanac of Apache
ActiveMQ team for fixing the issues on a high priority.

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC