It was found that A-MQ console would accept a string containing javascript as the name of a new message queue. Execution of the UI would subsequently execute the script. An attacker could use this flaw to access sensitive information or perform other attacks.
Acknowledgements: Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting this issue.
This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.1 Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.1 Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html