Apache ActiveMQ before version 5.15.5 is vulnerable to cross-site scripting (XSS) flaw via the QueueFilter parameter. An attacker could exploit this by feeding a URL encoded script to the QueueFilter parameter in the URI. External Reference: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-008/?fid=11632 Upstream Bug: https://issues.apache.org/jira/browse/AMQ-6954 Upstream Patches: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d25de5d https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d8c80a9
Created activemq tracking bugs for this issue: Affects: fedora-all [bug 1622775]
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following products: * JBoss Developer Studio 11 Please refer to https://access.redhat.com/node/4027141 for more details.
Statement: Red Hat Single Sign-On does not include the vulnerable web console components.