CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 10CVE-2016-3088 – Apache ActiveMQ Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2016-3088
24 May 2016 — The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. La aplicación web Fileserver en Apache ActiveMQ 5.x en versiones anteriores a 5.14.0 permite a atacantes remotos cargar y ejecutar archivos arbitrarios a través de un PUT HTTP seguido de una petición MOVE HTTP. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache ActiveMQ. Auth... • https://packetstorm.news/files/id/143191 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 28EXPL: 0CVE-2016-0782 – activemq: Cross-site scripting vulnerabilities in web console
https://notcve.org/view.php?id=CVE-2016-0782
13 Mar 2016 — The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue. La consola de administración web en Apache ActiveMQ 5.x en versiones anteriores a 5.11.4, 5.12.x en versiones anteriores a 5.12.3 y 5.13.x en versiones anteriores a 5.13.2 permite a usuarios remotos autent... • http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 27EXPL: 0CVE-2016-0734 – activemq: Clickjacking in Web Console
https://notcve.org/view.php?id=CVE-2016-0734
13 Mar 2016 — The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element. La consola de administración basada en web en Apache ActiveMQ 5.x en versiones anteriores a 5.13.2 no envía una cabecera X-Frame-Options HTTP, lo que facilita a atacantes remotos llevar a cabo ataques de secuestro de clic a través de una página ... • http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 2%CPEs: 27EXPL: 3CVE-2015-5254 – ObjectMessage: unsafe deserialization
https://notcve.org/view.php?id=CVE-2015-5254
08 Jan 2016 — Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. Apache ActiveMQ 5.x en versiones anteriores a 5.13.0 no restringe las clases que pueden ser serializadas en el broker, lo que permite a atacantes remotos ejecutar código arbitrario a través de un objeto ObjectMessage Java Message Service (JMS) serializado manipulado. It was found... • https://github.com/jas502n/CVE-2015-5254 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0CVE-2015-6524
https://notcve.org/view.php?id=CVE-2015-6524
24 Aug 2015 — The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types. La implementación de LDAPLoginModule en el Java Authentication y Authorization Service (JAAS) en Apache ActiveMQ 5.x en versiones anteriores a 5.10.1 permite operad... • http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt • CWE-255: Credentials Management Errors •
CVSS: 7.5EPSS: 9%CPEs: 23EXPL: 4CVE-2015-1830 – Apache ActiveMQ RestFilter Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2015-1830
19 Aug 2015 — Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors. Vulnerabilidad de salto de directorio en la funcionalidad del servidor de ficheros upload/download para mensajes blob en Apache ActiveMQ 5.x en versiones anteriores a 5.11.2 para Windows, permite a atacantes remotos crear archivos JSP en directorios arbitrarios a travé... • https://packetstorm.news/files/id/156643 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 52%CPEs: 6EXPL: 0CVE-2014-3576 – ActiveMQ: DoS via unauthenticated remote shutdown command
https://notcve.org/view.php?id=CVE-2014-3576
11 Aug 2015 — The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command. Vulnerabilidad en la función processControlCommand en broker/TransportConnection.java en Apache ActiveMQ en versiones anteriores a 5.11.0, permite a atacantes remotos causar una denegación de servicio (apagado) a través de un comando de apagado. It was found that the Apache ActiveMQ broker exposed a remote shutdown comm... • http://activemq.2283324.n4.nabble.com/About-CVE-2014-3576-tp4699628.html • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 1%CPEs: 18EXPL: 1CVE-2014-8110
https://notcve.org/view.php?id=CVE-2014-8110
12 Feb 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en la consola de administración basada en web en Apache ActiveMQ 5.x anterior a 5.10.1 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados. • https://github.com/tafamace/CVE-2014-8110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0CVE-2014-3612 – JAAS: LDAPLoginModule allows empty password authentication
https://notcve.org/view.php?id=CVE-2014-3612
05 Feb 2015 — The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. La implementación de LDAPLoginModule en el Java Authentication y Authorization Servi... • http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2014-3600 – ActiveMQ: XXE via XPath expression evaluation
https://notcve.org/view.php?id=CVE-2014-3600
05 Feb 2015 — XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. Una vulnerabilidad de XML External Entity (XXE) en Apache ActiveMQ, en versiones 5.x anteriores a la 5,10,1 permite que consumidores remotos provoquen impactos no especificados mediante vectores que implican un selector basado en XPath al eliminar de la cola los mensajes XML. It was discovered that Apache Ac... • http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt • CWE-611: Improper Restriction of XML External Entity Reference •