VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 10, 2018· Updated Sep 16, 2024

CVE-2018-8006

CVE-2018-8006

Description

Cross-site scripting vulnerability in Apache ActiveMQ's web admin console queue.jsp due to improper filtering of the QueueFilter parameter allows arbitrary JavaScript injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Apache ActiveMQ's web admin console queue.jsp due to improper filtering of the QueueFilter parameter allows arbitrary JavaScript injection.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the web-based administration console of Apache ActiveMQ versions 5.0.0 to 5.15.5. The issue is located in the queue.jsp page and is caused by improper data filtering of the QueueFilter parameter. When displaying the queue list, the QueueFilter parameter value is not properly encoded, allowing injection of arbitrary HTML and JavaScript [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL with a QueueFilter parameter containing a JavaScript payload. The victim, typically an administrator with access to the web console, must visit this URL (e.g., via a phishing link). Upon loading the queue.jsp page, the injected script executes in the context of the victim's session on the ActiveMQ admin console [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin console. This can lead to session hijacking, theft of sensitive credentials or configuration data, defacement of the console interface, or further attacks against the ActiveMQ environment [1].

Mitigation

The vulnerability is fixed in ActiveMQ version 5.15.6 [3][4]. Users should upgrade to this version or later. For those unable to upgrade, the patches available in commits [3][4] can be applied to the source code and rebuilt. No workarounds are provided; immediate upgrade is recommended.

References
  1. NVD - CVE-2018-8006
  2. [AMQ-6954] Queue page on web console displays URL parameter without proper encoding
  3. [AMQ-6954] encode the QueueFilter field value also · apache/activemq@2373aa1
  4. [AMQ-6954] encode the QueueFilter field value also · apache/activemq@d8c80a9

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.activemq:activemq-web-consoleMaven
>= 5.0.0, < 5.15.65.15.6

Affected products

2

Patches

2
d8c80a98212e

[AMQ-6954] encode the QueueFilter field value also

https://github.com/apache/activemqartnaseefAug 7, 2018via ghsa
commit
1 file changed · +1 1
  • activemq-web-console/src/main/webapp/queues.jsp+1 1 modified
    @@ -46,7 +46,7 @@
 <div>
 <form action="queues.jsp" method="get">
     <label name="destination">Queue Name Filter</label>
-    <input type="text" name="QueueFilter" value="${param.QueueFilter}"/>
+    <input type="text" name="QueueFilter" value="<c:out value='${param.QueueFilter}'/>"/>
 
     <input type="submit" value="Filter"/>
 </form>
2373aa1

[AMQ-6954] encode the QueueFilter field value also

https://github.com/apache/activemqartnaseefAug 7, 2018via ghsa
commit
1 file changed · +1 1
  • activemq-web-console/src/main/webapp/queues.jsp+1 1 modified
    @@ -46,7 +46,7 @@
 <div>
 <form action="queues.jsp" method="get">
     <label name="destination">Queue Name Filter</label>
-    <input type="text" name="QueueFilter" value="${param.QueueFilter}"/>
+    <input type="text" name="QueueFilter" value="<c:out value='${param.QueueFilter}'/>"/>
 
     <input type="submit" value="Filter"/>
 </form>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

24

News mentions

0

No linked articles in our index yet.