CVE-2018-8006 — Apache ActiveMQ web console vulnerable to Cross-site Scripting

Description

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.

How to fix CVE-2018-8006

To remediate CVE-2018-8006, upgrade the affected package to a fixed version below.

—upgrade to 5.15.6-1 or later
—upgrade to 5.15.6 or later

Is CVE-2018-8006 being exploited?

Likely — EPSS is 78.5%, placing CVE-2018-8006 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 5.15.6-1
>= 5.0.0, < 5.15.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-8006
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-8006
PATCHgithub.com/apache/activemq
WEBactivemq.apache.org/security-advisories.data/CVE-2018-8006-announcement.txt
WEB