Some user-controllable content was not properly HTML-escaped
before being presented to a user in the management web UI:
- When a user unqueued a message from the management UI,
message details (header names, arguments, etc.) were displayed
unescaped. An attacker could publish a specially crafted
message to add content or execute arbitrary Javascript code on
behalf of a user, if this user unqueued the message from the
management UI.
- When viewing policies, their name was displayed unescaped.
An attacker could create a policy with a specially crafted name
to add content or execute arbitrary Javascript code on behalf
of a user who is viewing policies.
- When listing connected AMQP network clients, client details
such as its version were displayed unescaped. An attacker could
use a client with a specially crafted version field to add
content or execute arbitrary Javascript code on behalf of a
user who is viewing connected clients.
In all cases, the attacker needs a valid user account on the
targeted RabbitMQ cluster.
Furthermore, some admin-controllable content was not properly
escaped:
- user names;
- the cluster name.
Likewise, an attacker could add content or execute arbitrary
Javascript code on behalf of a user using the management web UI.
However, the attacker must be an administrator on the RabbitMQ
cluster, thus a trusted user.