FreeBSD : activemq -- Web Console XSS (a6cc5753-f29e-11e5-b4a9-ac220bdcec59)

medium Nessus Plugin ID 90236

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Vladimir Ivanov (Positive Technologies) reports :

Several instances of cross-site scripting vulnerabilities were identified to be present in the web-based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.

Solution

Update the affected package.

See Also

http://www.nessus.org/u?41dd5ff8

http://www.nessus.org/u?c9bd7a69

Plugin Details

Severity: Medium

ID: 90236

File Name: freebsd_pkg_a6cc5753f29e11e5b4a9ac220bdcec59.nasl

Version: 2.9

Type: local

Published: 3/28/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:activemq, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/25/2016

Vulnerability Publication Date: 3/10/2016

Reference Information

CVE: CVE-2016-0782