Moderate severityNVD Advisory· Published Aug 23, 2022· Updated Aug 3, 2024

HTML Injection in ActiveMQ Artemis Web Console

CVE-2022-35278

Description

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Apache ActiveMQ Artemis web console via HTML in address/queue names allows malicious content display and redirection.

Vulnerability

Description CVE-2022-35278 is a stored cross-site scripting (XSS) vulnerability in the web console of Apache ActiveMQ Artemis versions prior to 2.24.0. The root cause is insufficient sanitization of user-supplied names for addresses or queues, allowing attackers to inject arbitrary HTML or JavaScript.

Exploitation

An attacker with access to the console can create or modify an address or queue containing malicious HTML. When other users browse the web console, the injected content is rendered, enabling the attacker to execute scripts or redirect users to malicious URLs. No special privileges beyond basic console access are required.

Impact

Successful exploitation allows the attacker to display arbitrary content, steal session tokens, or redirect users to malicious websites, potentially leading to further compromise.

Mitigation

The vulnerability is fixed in Apache ActiveMQ Artemis version 2.24.0. Users should upgrade to this version or later. No workarounds are available. The issue was reported via the Apache security mailing list [1].

References

NVD - CVE-2022-35278

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.activemq:artemis-serverMaven	< 2.24.0	2.24.0

Affected products

ghsa-coords
pkg:maven/org.apache.activemq/artemis-server
Range: < 2.24.0
Apache Software Foundation/Apache ActiveMQ Artemisv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-cv6r-h2fm-pvrpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-35278ghsaADVISORY
lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3nghsaWEB
security.netapp.com/advisory/ntap-20221209-0005ghsaWEB
security.netapp.com/advisory/ntap-20221209-0005/mitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000