| Vulnerability Name: | CVE-2020-1941 (CCN-181957) |
| Assigned: | 2019-12-02 |
| Published: | 2020-05-14 |
| Updated: | 2022-10-05 |
| Summary: | In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.
|
| CVSS v3 Severity: | 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None |
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None |
|
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None |
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
| | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None |
|
| Vulnerability Type: | CWE-79
|
| Vulnerability Consequences: | Cross-Site Scripting |
| References: | Source: MISC
Type: Vendor Advisory
http://activemq.apache.org/security-advisories.data/CVE-2020-1941-announcement.txt
Source: MITRE
Type: CNA
CVE-2020-1941
Source: CCN
Type: Apache ActiveMQ Web site
Apache ActiveMQ
Source: XF
Type: UNKNOWN
apache-cve20201941-xss(181957)
Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[activemq-commits] 20210208 [activemq-website] branch master updated: Publish CVE-2020-13947
Source: MLIST
Type: Mailing List, Vendor Advisory
[activemq-commits] 20210127 [activemq-website] branch master updated: Publish CVE-2021-26117
Source: MLIST
Type: Mailing List, Vendor Advisory
[activemq-commits] 20200910 [activemq-website] branch master updated: Publish CVE-2020-11998
Source: CCN
Type: oss-sec Mailing List, Thu, 14 May 2020 07:25:05 +0200
[CVE-2020-1941] XSS in ActiveMQ WebConsole
Source: CCN
Type: IBM Security Bulletin 6235094 (Cloud Pak System)
Vulnerability identified in Apache ActiveMQ used in Cloud Pak System (CVE-2020-1941)
Source: CCN
Type: IBM Security Bulletin 6324863 (Resilient OnPrem)
IBM Resilient SOAR is Using Components with Known Vulnerabilities - activemq-camel-5.15.9.jar (CVE-2015-5182, CVE-2015-5183, CVE-2015-5184, CVE-2020-1941)
Source: CCN
Type: IBM Security Bulletin 6332213 (Operations Analytics Predictive Insights)
A vulnerability in Apache AvtiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-1941)
Source: CCN
Type: IBM Security Bulletin 6344071 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6955033 (Security Directory Integrator)
IBM Security Directory Integrator is affected by multiple security vulnerabilities
Source: CCN
Type: IBM Security Bulletin 7001693 (Security Directory Suite VA)
IBM Security Directory Suite is vulnerable to multiple issues
Source: N/A
Type: Third Party Advisory
N/A
Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Source: CCN
Type: Oracle CPUJul2020
Oracle Critical Patch Update Advisory - July 2020
Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Source: CCN
Type: Oracle CPUOct2020
Oracle Critical Patch Update Advisory - October 2020
Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:apache:activemq:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.15.11)
Configuration 2:
cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.2)OR cpe:/a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*OR cpe:/a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
Configuration CCN 1:
cpe:/a:apache:activemq:5.0.0:*:*:*:*:*:*:*OR cpe:/a:apache:activemq:5.15.11:*:*:*:*:*:*:*AND cpe:/a:oracle:flexcube_private_banking:12.0:*:*:*:*:*:*:*OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:*OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_system:2.2.6:*:*:*:*:*:*:*OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.0:*:*:*:*:*:*:*OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:*OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:*
 Denotes that component is vulnerable |
| BACK |
apache activemq *
oracle flexcube private banking 12.1.0
oracle flexcube private banking 12.0.0
oracle enterprise repository 11.1.1.7.0
oracle communications element manager 8.2.0
oracle communications element manager 8.2.1
oracle communications element manager 8.1.1
oracle communications diameter signaling router *
oracle communications session report manager 8.1.1
oracle communications session report manager 8.2.0
oracle communications session report manager 8.2.1
oracle communications session route manager 8.1.1
oracle communications session route manager 8.2.0
oracle communications session route manager 8.2.1
apache activemq 5.0.0
apache activemq 5.15.11
oracle flexcube private banking 12.0
oracle flexcube private banking 12.1
oracle enterprise repository 11.1.1.7.0
ibm qradar security information and event manager 7.3.0
ibm cloud pak system 2.3
ibm cloud pak system 2.3.0.1
ibm cloud pak system 2.2.6
ibm operations analytics predictive insights 1.3.0
ibm qradar security information and event manager 7.3.3 p4
ibm qradar security information and event manager 7.4.0
ibm qradar security information and event manager 7.4.1 -