A specifically crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
This issue has been addressed in the following products:
Red Hat AMQ
Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):