Impact
The flaw occurs because the ActiveMQ Web Console displays a message ID directly without sanitization. An authenticated producer can send a message whose JMS message ID contains crafted HTML or JavaScript. When an administrator browses the queue in the Web Console, the malicious payload is executed in the administrator’s browser. This stored cross‑site scripting flaw, classified as CWE‑79, can enable an attacker to hijack the administrative session, exfiltrate credentials, or perform arbitrary actions on behalf of the administrator.
Affected Systems
Apache ActiveMQ versions prior to 5.19.8 and prior to 6.2.7 (from 6.0.0 to 6.2.6) are affected, as are the corresponding ActiveMQ Web Console components in those same version ranges. No additional product details are provided.
Risk and Exploitability
The CVSS score of 6.1 indicates a moderate to high risk level, and EPSS data is unavailable, indicating limited publicly known exploitation data. The vulnerability is not listed in the CISA KEV catalog and no remote exploitation has been reported. Exploitation requires an authenticated producer who can craft a message ID, so the risk is high where producer credentials are exposed or not strictly controlled. Organizations should evaluate their producer access controls and the exposure of the Web Console to trusted administrators only.
OpenCVE Enrichment