We have been notified by Dylan Webb of Allied Infosecurity that versions of QueueMetrics up to 12.10 may present a reflective XSS vulnerability - an attacker could execute arbitrary HTML or script code in a targeted user's browser. This could be leveraged to steal sensitive information such as user credentials and/or conduct other malicious activities.
We have patched the issue by releasing version 12.10.1.1, that is immediately available on our RPM repositories or through direct download. If you installed QM using yum, you should simply run:
yum update queuemetrics
to get the latest version.
Though the real-life impact of the issue may be moderate (especially if you run QM on an intranet) we suggest upgrading as a precautionary measure.
