CVE-2020-13821

Owned by Florian Raschbichler
Aug 28, 2020
1 min read

Description

When the clientID of a connecting HiveMQ client contained Javascript, this Javascript is loaded in the HiveMQ control center, in case the client detail page for this client is requested.

Attack vector

An attacker could potentially gain access to the session token of the HiveMQ control center and gain access to the control center in this way.

Severity

LOW An attack vector requires the user to ignore the following best practices:

  1. Allow unauthorized access to the broker

We recommend to always secure access to your HiveMQ with the help of Authentication and Authorization broker. See the HiveMQ Marketplace for available security extensions. Please don’t hesitate to reach out in case you have any questions about securing your deployment

2. Expose the HiveMQ Control Center externally

Unless the configuration is changed specifically, the HiveMQ Control Center is only exposed locally on the broker. A potential attack should not be able to access the internal Control Center listener. Regardless of the potential existence of a session token.

Affected Version

HiveMQ 4.3.0, 4.3.1, 4.3.2

In case you are running one of these HiveMQ versions in production we strongly recommend upgrading to one of our latest HiveMQ version.

Fix Version

HiveMQ 4.3.3