FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rabbitmq -- Security issues in management plugin

Affected packages
rabbitmq < 3.4.3

Details

VuXML ID 8469d41c-a960-11e4-b18e-bcaec55be5e5
Discovery 2015-01-08
Entry 2015-01-31

The RabbitMQ project reports:

Some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI:

In all cases, the attacker needs a valid user account on the targeted RabbitMQ cluster.

Furthermore, some admin-controllable content was not properly escaped:

Likewise, an attacker could add content or execute arbitrary Javascript code on behalf of a user using the management web UI. However, the attacker must be an administrator on the RabbitMQ cluster, thus a trusted user.

References

CVE Name CVE-2015-0862
URL http://www.rabbitmq.com/news.html#2015-01-08T10:14:05+0100
URL http://www.rabbitmq.com/release-notes/README-3.4.3.txt