CVE Vulnerabilities

CVE-2022-35278

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Published: Aug 23, 2022 | Modified: Nov 21, 2024
CVSS 3.x
6.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.1 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ubuntu
MEDIUM

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.

Weakness

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as “<”, “>”, and “&” that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Affected Software

Name Vendor Start Version End Version
Activemq_artemis Apache * 2.24.0 (excluding)
AMQ Broker 7.10.1 RedHat artemis-plugin *
Red Hat AMQ 7.8.7 RedHat artemis-plugin *
Activemq Ubuntu bionic *
Activemq Ubuntu kinetic *
Activemq Ubuntu lunar *
Activemq Ubuntu mantic *
Activemq Ubuntu trusty *
Activemq Ubuntu xenial *
Artemis Ubuntu bionic *
Artemis Ubuntu kinetic *
Artemis Ubuntu lunar *
Artemis Ubuntu mantic *
Artemis Ubuntu xenial *

Potential Mitigations

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.

References