CVE-2016-6810
Description
In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache ActiveMQ 5.x before 5.14.2 has a stored XSS in the web admin console due to improper output encoding of client ID values.
Vulnerability
In Apache ActiveMQ 5.x versions prior to 5.14.2, the web-based administration console contains a cross-site scripting (XSS) vulnerability. The bug is caused by improper user data output validation, specifically the use of ${row.clientId} inside <c:url> tags without escaping, allowing attacker-controlled client ID values to inject arbitrary JavaScript into administration console pages [1]. Affected versions include all 5.x releases up to and including 5.14.1 [2].
Exploitation
An attacker must have network access to the ActiveMQ broker and the ability to connect as a client with a crafted client ID containing malicious script payloads. The attacker sets a malicious client ID when establishing a connection; when an administrator views the connection list in the web console, the client ID is rendered unsanitized, causing the script to execute in the administrator's browser [2][3]. No authentication is required for the client connection, but the XSS triggers only when a privileged admin user accesses the affected JSP pages.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administration console session of a privileged user. This can lead to theft of session cookies, impersonation of the admin, or further attacks against the broker's internal network. The compromise is limited to the browser session, not the server itself, but can expose sensitive broker information and enable further lateral movement [1].
Mitigation
The fix is included in Apache ActiveMQ 5.14.2, released in December 2016 [1]. The patch replaces ${row.clientId} with <c:out value="${row.clientId}" /> in all affected JSP files, ensuring proper HTML entity encoding of user-supplied data [3][4]. Operators should upgrade to version 5.14.2 or later. No workaround is necessary for patched versions; if upgrading is not immediately possible, restrict access to the web console to trusted networks and users.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:activemq-clientMaven | >= 5.0.0, < 5.14.2 | 5.14.2 |
Affected products
2- Apache Software Foundation/Apache ActiveMQv5Range: 5.0.0 to 5.14.1
Patches
3e16ed24https://issues.apache.org/jira/browse/AMQ-6468
5 files changed · +7 −7
activemq-web-console/src/main/webapp/queueConsumers.jsp+1 −1 modified@@ -63,7 +63,7 @@ <a href="network.jsp">${row.clientId}</a><br/> </c:when> <c:otherwise> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> </c:otherwise> </c:choose> <c:out value="${row.connectionId}" />
activemq-web-console/src/main/webapp/queueProducers.jsp+1 −1 modified@@ -49,7 +49,7 @@ <c:forEach items="${requestContext.queueProducerQuery.producers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
activemq-web-console/src/main/webapp/subscribers.jsp+3 −3 modified@@ -97,7 +97,7 @@ <c:forEach items="${requestContext.brokerQuery.durableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td> @@ -145,7 +145,7 @@ <c:forEach items="${requestContext.brokerQuery.inactiveDurableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td> @@ -194,7 +194,7 @@ <c:forEach items="${requestContext.brokerQuery.nonDurableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td>
activemq-web-console/src/main/webapp/topicProducers.jsp+1 −1 modified@@ -49,7 +49,7 @@ <c:forEach items="${requestContext.topicProducerQuery.producers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
activemq-web-console/src/main/webapp/topicSubscribers.jsp+1 −1 modified@@ -53,7 +53,7 @@ <c:forEach items="${requestContext.topicSubscriberQuery.subscribers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
c1157fe1f007https://issues.apache.org/jira/browse/AMQ-6468
5 files changed · +7 −7
activemq-web-console/src/main/webapp/queueConsumers.jsp+1 −1 modified@@ -63,7 +63,7 @@ <a href="network.jsp">${row.clientId}</a><br/> </c:when> <c:otherwise> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> </c:otherwise> </c:choose> <c:out value="${row.connectionId}" />
activemq-web-console/src/main/webapp/queueProducers.jsp+1 −1 modified@@ -49,7 +49,7 @@ <c:forEach items="${requestContext.queueProducerQuery.producers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
activemq-web-console/src/main/webapp/subscribers.jsp+3 −3 modified@@ -97,7 +97,7 @@ <c:forEach items="${requestContext.brokerQuery.durableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td> @@ -145,7 +145,7 @@ <c:forEach items="${requestContext.brokerQuery.inactiveDurableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td> @@ -194,7 +194,7 @@ <c:forEach items="${requestContext.brokerQuery.nonDurableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td>
activemq-web-console/src/main/webapp/topicProducers.jsp+1 −1 modified@@ -49,7 +49,7 @@ <c:forEach items="${requestContext.topicProducerQuery.producers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
activemq-web-console/src/main/webapp/topicSubscribers.jsp+1 −1 modified@@ -53,7 +53,7 @@ <c:forEach items="${requestContext.topicSubscriberQuery.subscribers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
77b827fhttps://issues.apache.org/jira/browse/AMQ-6468
5 files changed · +7 −7
activemq-web-console/src/main/webapp/queueConsumers.jsp+1 −1 modified@@ -63,7 +63,7 @@ <a href="network.jsp">${row.clientId}</a><br/> </c:when> <c:otherwise> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> </c:otherwise> </c:choose> <c:out value="${row.connectionId}" />
activemq-web-console/src/main/webapp/queueProducers.jsp+1 −1 modified@@ -49,7 +49,7 @@ <c:forEach items="${requestContext.queueProducerQuery.producers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
activemq-web-console/src/main/webapp/subscribers.jsp+3 −3 modified@@ -97,7 +97,7 @@ <c:forEach items="${requestContext.brokerQuery.durableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td> @@ -145,7 +145,7 @@ <c:forEach items="${requestContext.brokerQuery.inactiveDurableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td> @@ -194,7 +194,7 @@ <c:forEach items="${requestContext.brokerQuery.nonDurableTopicSubscribers}" var="row"> <tr> <td> -<a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"> +<a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"> <form:tooltip text="${row.clientId}" length="10"/> </a> </td>
activemq-web-console/src/main/webapp/topicProducers.jsp+1 −1 modified@@ -49,7 +49,7 @@ <c:forEach items="${requestContext.topicProducerQuery.producers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
activemq-web-console/src/main/webapp/topicSubscribers.jsp+1 −1 modified@@ -53,7 +53,7 @@ <c:forEach items="${requestContext.topicSubscriberQuery.subscribers}" var="row"> <tr> <td> - <a href="<c:url value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> + <a href="<c:out value="connection.jsp?connectionID=${row.clientId}"/>"><c:out value="${row.clientId}" /></a><br/> <br> <c:out value="${row.connectionId}" /> </td>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-5jg4-p78r-p5j3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-6810ghsaADVISORY
- activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txtghsax_refsource_CONFIRMWEB
- www.securityfocus.com/bid/94882mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1037475mitrevdb-entryx_refsource_SECTRACK
- github.com/apache/activemq/commit/77b827fghsaWEB
- github.com/apache/activemq/commit/c1157fe1f007ee2344a7f0badefa0794c98817cdghsaWEB
- github.com/apache/activemq/commit/e16ed24ghsaWEB
- issues.apache.org/jira/browse/AMQ-6468ghsaWEB
- lists.apache.org/thread.html/924a3a27fad192d711436421e02977ff90d9fc0f298e1efe6757cfbc%40%3Cusers.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/924a3a27fad192d711436421e02977ff90d9fc0f298e1efe6757cfbc@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.