This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
The RabbitMQ project reports :
Some user-controllable content was not properly HTML-escaped before
being presented to a user in the management web UI :
- When a user unqueued a message from the management UI, message
details (header names, arguments, etc.) were displayed unescaped. An
attacker could publish a specially crafted message to add content or
unqueued the message from the management UI.
- When viewing policies, their name was displayed unescaped. An
attacker could create a policy with a specially crafted name to add
is viewing policies.
- When listing connected AMQP network clients, client details such as
its version were displayed unescaped. An attacker could use a client
with a specially crafted version field to add content or execute
In all cases, the attacker needs a valid user account on the targeted
Furthermore, some admin-controllable content was not properly escaped
- user names;
- the cluster name.
Likewise, an attacker could add content or execute arbitrary
However, the attacker must be an administrator on the RabbitMQ
cluster, thus a trusted user.
See also :
Update the affected package.
Risk factor :
Low / CVSS Base Score : 3.5