Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.
activemq.apache.org/activemq-580-release.html
rhn.redhat.com/errata/RHSA-2013-1029.html
www.securityfocus.com/bid/59400
fisheye6.atlassian.com/changelog/activemq?cs=1399577
github.com/apache/activemq
github.com/apache/activemq/commit/51eb87a84be88d28383ea48f6e341ffe1203c5ba
issues.apache.org/jira/browse/AMQ-4115
issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282
nvd.nist.gov/vuln/detail/CVE-2012-6092