RabbitMQ XSS attack
Description
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pivotal RabbitMQ versions prior to 3.7.18 and RabbitMQ for PCF have XSS in virtual host limits and federation management UI, allowing authenticated admins to access virtual host and policy data.
Vulnerability
In Pivotal RabbitMQ versions prior to v3.7.18, and RabbitMQ for PCF versions 1.15.x prior to 1.15.13, 1.16.x prior to 1.16.6, and 1.17.x prior to 1.17.3, two components—the virtual host limits page and the federation management UI—fail to properly sanitize user input. This allows a remote authenticated user with administrative access to perform a cross-site scripting (XSS) attack.
Exploitation
An attacker must be authenticated and have administrative access to the RabbitMQ management UI. The attacker crafts a malicious input (e.g., containing JavaScript) in the virtual host limits or federation management interface. When another administrator or the attacker themselves views the affected page, the injected script executes in the context of the user's session.
Impact
A successful XSS attack can result in the attacker gaining access to virtual hosts and policy management information. Depending on the injected script's capabilities, the attacker might steal session tokens, perform actions on behalf of the victim, or extract sensitive configuration details.
Mitigation
Pivotal released fixed versions: RabbitMQ v3.7.18 and RabbitMQ for PCF 1.15.13, 1.16.6, and 1.17.3. Red Hat provided updated packages (e.g., rabbitmq-server-3.7.22-1.el8ost) in RHSA-2020:0078 [1]. Users should upgrade to the patched versions. No workaround other than upgrading is documented.
[1]: https://access.redhat.com/errata/RHSA-2020:0078
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
41.15.x < 1.15.13, 1.16.x < 1.16.6, 1.17.x < 1.17.3+ 1 more
- (no CPE)range: 1.15.x < 1.15.13, 1.16.x < 1.16.6, 1.17.x < 1.17.3
- (no CPE)range: 1.15.x prior to 1.15.13
- Range: prior to v3.7.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- access.redhat.com/errata/RHSA-2020:0078mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/mitrevendor-advisoryx_refsource_FEDORA
- lists.debian.org/debian-lts-announce/2021/07/msg00011.htmlmitremailing-listx_refsource_MLIST
- pivotal.io/security/cve-2019-11281mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.