Bug 955906 (CVE-2012-6092)

Summary: CVE-2012-6092 activemq: Multiple XSS flaws in web demos
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, djorm, dmcphers, grocha, jbpapp-maint, jialiu, jlieskov, lmeyer, soa-p-jira, tkramer, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-02 23:47:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 955433, 958349    

Description Arun Babu Neelicattu 2013-04-24 04:21:03 UTC 
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6092
Comment 2 errata-xmlrpc 2013-07-09 17:57:44 UTC 
This issue has been addressed in following products:

  Fuse MQ Enterprise 7.1.0

Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html