Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
5.15.6
-
None
Description
The admin GUI is very much open to XSS, in the view that lists the contents of a queue.
Using Camel, here is the code required to make the GUI run JavaScript-code:
messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", "hello}\"><script>alert('XSS :(');</script>");
This also happens when you have a header containing xml, where an element holds an attribute:
messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", "<Something something=\"something\">hello</noe>><script>alert('XSS :(');</script>");
Seems to be due to how the title of the message is generated. This last one also messes up the way a message is displayed in the list, since it will start displaying the xml content after the attribute as HTML.
Attachments
Issue Links
- links to
