CVE-2015-0862

low

Published 2015-01-18 · Modified 2026-05-06

CVSS v3

—

CVSS v2

3.5

VIR risk

3.5

Description

Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-0862

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://www.rabbitmq.com/news.html#2015-01-08T10:14:05+0100

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`3.4.3-1`
debian	bullseye	fixed	`3.4.3-1`
debian	forky	fixed	`3.4.3-1`
debian	sid	fixed	`3.4.3-1`
debian	trixie	fixed	`3.4.3-1`

Application impact

Vendor	Product	Versions	Fixed
pivotal_software	rabbitmq_management	`{"endIncluding":"3.4.2"}`

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.