RabbitMQ has XSS Vulnerability in an Error Message in Management UI

RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ `4.0.3` and Tanzu RabbitMQ `4.0.3` and `3.13.8` patch the issue.

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

RabbitMQ 跨站脚本漏洞

RabbitMQ是RabbitMQ开源的一个功能丰富的多协议消息和流媒体代理。 RabbitMQ 4.0.3之前版本存在跨站脚本漏洞，该漏洞源于虚拟主机名称未转义，可能导致管理UI用户浏览器中执行任意JavaScript代码。

N/A

N/A