VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Feb 5, 2014· Updated Apr 29, 2026

CVE-2013-1880

CVE-2013-1880

Description

Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.activemq:activemq-coreMaven
< 5.9.05.9.0

Affected products

14
  • Apache/Activemq14 versions
    cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*range: <=5.8.0
    • cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*

Patches

1
fafd12dfd4f7

https://issues.apache.org/jira/browse/AMQ-4398 - sanitize header in stock portfolio servlet

https://github.com/apache/activemqBosanac DejanMar 21, 2013via ghsa
commit
2 files changed · +1 3
  • activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java+1 1 modified
    @@ -68,7 +68,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
                 if (refreshRate == null || refreshRate.length() == 0) {
                     refreshRate = "1";
                 }
-                out.print(refreshRate);
+                out.print(escape(refreshRate));
                 out.println("'/></head>");
                 out.println("<body>Published <b>" + escape(Integer.toString(count)) + "</b> of " + escape(Integer.toString(total))
                         + " price messages.  Refresh = " + escape(refreshRate) + "s");
  • assembly/src/sample-conf/activemq-demo.xml+0 2 modified
    @@ -201,8 +201,6 @@
             <transportConnector name="ssl" uri="ssl://localhost:61617"/>
             <!-- Create a STOMP transport for STOMP clients. -->
             <transportConnector name="stomp" uri="stomp://localhost:61613"/>
-            <!-- Create a XMPP transport for XMPP clients. -->
-            <transportConnector name="xmpp" uri="xmpp://localhost:61222"/>
             <!-- Create a Websocket transport for the websocket dmeo -->
             <transportConnector name="ws" uri="ws://localhost:61614/" />
         </transportConnectors>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.