FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
a258604d-f2aa-11e5-b4a9-ac220bdcec59activemq -- Unsafe deserialization

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:

JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can lead to security flaws as demonstrated in various reports, this leaves the broker vulnerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls.

Discovery 2016-01-08
Entry 2016-03-25
lt 5.13.0
950b2d60-f2a9-11e5-b4a9-ac220bdcec59activemq -- Web Console Clickjacking

Michael Furman reports:

The web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.

Discovery 2016-03-10
Entry 2016-03-25
lt 5.13.2
a6cc5753-f29e-11e5-b4a9-ac220bdcec59activemq -- Web Console Cross-Site Scripting

Vladimir Ivanov (Positive Technologies) reports:

Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.

Discovery 2016-03-10
Entry 2016-03-25
lt 5.13.1