Summary Cross-site scripting (XSS), brute force attack, denial of service vulnerabilities in activemq-web may affect IBM Spectrum Control. CVE-2012-6092, CVE-2015-6524, CVE-2016-0734, CVE-2011-4905, CVE-2012-6551, CVE-2013-1879, CVE-2013-1880 Vulnerability Details CVEID:CVE-2012-6092 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551. CWE:CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS Source: IBM X-Force CVSS Base score: 4.3 CVSS Vector:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVEID:CVE-2015-6524 DESCRIPTION: The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types. CWE:CWE-255: Credentials Management Errors CVSS Source: IBM X-Force CVSS Base score: 7.5 CVSS Vector:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID:CVE-2016-0734 DESCRIPTION: The web-based administration console in Apache…Read More
Security Bulletin: IBM Spectrum Control is vulnerable to weaknesses related to activemq-web (CVE-2012-6092, CVE-2015-6524, CVE-2016-0734, CVE-2011-4905, CVE-2012-6551, CVE-2013-1879, CVE-2013-1880)
