CVE-2016-0734

CWE-254 CWE-79 — Cross-site Scripting (XSS)8 documents7 sources

Severity

6.1MEDIUM

EPSS

3.0%

top 13.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Activemq

Timeline

PublishedApr 7

Latest updateMay 14

Description

The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Mavenorg.apache.activemq:activemq-client5.0.0 — 5.13.2

▶NVDapache/activemq27 versions+26

🔴Vulnerability Details

OSV

Improper Neutralization of Input During Web Page Generation in Apache ActiveMQ↗2022-05-14

▶

GHSA

Improper Neutralization of Input During Web Page Generation in Apache ActiveMQ↗2022-05-14

▶

CVEList

CVE-2016-0734: The web-based administration console in Apache ActiveMQ 5↗2016-04-07

▶

📋Vendor Advisories

Red Hat

activemq: Clickjacking in Web Console↗2016-03-10

▶

Debian

CVE-2016-0734: activemq - The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does n...↗2016

▶

💬Community

Bugzilla

CVE-2016-0734 CVE-2016-0782 activemq: various flaws [fedora-all]↗2016-03-14

▶

Bugzilla

CVE-2016-0734 activemq: Clickjacking in Web Console↗2016-03-14

▶