Moderate severityNVD Advisory· Published Apr 21, 2013· Updated Apr 29, 2026
CVE-2012-6092
CVE-2012-6092
Description
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:activemq-coreMaven | < 5.8.0 | 5.8.0 |
Affected products
20cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*range: <=5.7.0
- cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
Patches
151eb87a84be8https://issues.apache.org/jira/browse/AMQ-4115 - xss in web demos
2 files changed · +8 −3
activemq-web-demo/src/main/webapp/websocket/chat.js+2 −2 modified@@ -29,7 +29,7 @@ $(document).ready(function(){ // this allows to display debug logs directly on the web page client.debug = function(str) { - $("#debug").append(str + "\n"); + $("#debug").append(document.createTextNode(str + "\n")); }; // the client is notified when it is connected to the server. var onconnect = function(frame) { @@ -39,7 +39,7 @@ $(document).ready(function(){ $('#send_form_input').removeAttr('disabled'); client.subscribe(destination, function(message) { - $("#messages").append("<p>" + message.body + "</p>\n"); + $("#messages").append(document.createTextNode("<p>" + message.body + "</p>\n")); }); }; client.connect(login, passcode, onconnect);
activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java+6 −1 modified@@ -70,7 +70,8 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t } out.print(refreshRate); out.println("'/></head>"); - out.println("<body>Published <b>" + count + "</b> of " + total + " price messages. Refresh = " + refreshRate + "s"); + out.println("<body>Published <b>" + escape(Integer.toString(count)) + "</b> of " + escape(Integer.toString(total)) + + " price messages. Refresh = " + escape(refreshRate) + "s"); out.println("</body></html>"); } catch (JMSException e) { @@ -129,4 +130,8 @@ protected int getNumberOfMessages(HttpServletRequest request) { } return 1; } + + protected String escape(String text) throws IOException { + return java.net.URLEncoder.encode(text, "UTF-8"); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-rp9p-863f-9c4hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-6092ghsaADVISORY
- activemq.apache.org/activemq-580-release.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1029.htmlnvdWEB
- www.securityfocus.com/bid/59400nvdWEB
- fisheye6.atlassian.com/changelog/activemqnvdWEB
- github.com/apache/activemq/commit/51eb87a84be88d28383ea48f6e341ffe1203c5baghsaWEB
- issues.apache.org/jira/browse/AMQ-4115nvdWEB
- issues.apache.org/jira/secure/ReleaseNote.jspanvdWEB
News mentions
0No linked articles in our index yet.