CVE-2020-13932
Description
In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote XSS vulnerability in Apache ActiveMQ Artemis web console Diagram Plugin allows injection via crafted MQTT client IDs or topic names.
Overview
CVE-2020-13932 is a cross-site scripting (XSS) vulnerability in the web console of Apache ActiveMQ Artemis versions 2.5.0 through 2.13.0. The root cause is insufficient sanitization of MQTT packet fields: a specially crafted MQTT packet containing an XSS payload as the client-id or topic name is accepted and later rendered unsafely in the admin console's Diagram Plugin, specifically in queue nodes and the info section [1][2].
Exploitation
The attack is network-based and does not require prior authentication to the message broker. An attacker sends a malicious MQTT packet to a vulnerable Artemis broker. Because the payload is stored in the broker's internal state and later displayed in the browser-based admin console, any administrator viewing the diagram of queues or related info sections will trigger the XSS payload in their session [1][2].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the admin console browser. This could allow an attacker to perform actions on behalf of an authenticated administrator, steal session cookies, deface the console interface, or redirect the admin to malicious sites. The vulnerability is rated Medium severity [2].
Mitigation
The vulnerability is patched in Apache ActiveMQ Artemis version 2.14.0. Users running any affected version (2.5.0 to 2.13.0) should upgrade immediately. There is no workaround mentioned in the advisory; applying the update is the only recommended mitigation [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:apache-artemisMaven | >= 2.5.0, < 2.14.0 | 2.14.0 |
Affected products
3- Apache/ActiveMQ Artemisdescription
- Range: 2.5.0 - 2.13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-3h2h-xqr2-2jp7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13932ghsaADVISORY
- activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txtghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb%40%3Cusers.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088@%3Ccommits.activemq.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.