Portfolio publisher servlet doesn't sanitize input. For example he following url in Firefox http://localhost:8161/demo/portfolioPublish?count=1&refresh=%27%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E&stocks=IBMW&stocks=BEAS&stocks=MSFT&stocks=SUNW will trigger JS code. External references: https://issues.apache.org/jira/browse/AMQ-4398
Created activemq tracking bugs for this issue Affects: fedora-18 [bug 924448]
This issue has been addressed in following products: Fuse MQ Enterprise 7.1.0 Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html