CVE-2022-35278: 
Java vulnerability analysis and mitigation

In Apache ActiveMQ Artemis versions prior to 2.24.0, a vulnerability was discovered that allowed attackers to inject malicious HTML content and redirect users to malicious URLs through the web console by manipulating the names of addresses or queues. The vulnerability was assigned CVE-2022-35278 and was initially reported by researchers from Digital14 - Yash Pandya, Rajatkumar Karmarkar, and Likhith Cheekatipalle (Apache Advisory).

The vulnerability is classified as an HTML Injection/Cross-site Scripting (XSS) issue, identified with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). It received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information and potential modification or addition of data through malicious content display or URL redirects in the web console (NetApp Advisory).

The primary mitigation is to upgrade to Apache ActiveMQ Artemis version 2.24.0 or later, which contains the fix for this vulnerability. Red Hat has also released AMQ Broker 7.8.7 to address this security issue (Red Hat Advisory).