oss-sec mailing list archives
[SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability
From: Arina Ielchiieva <arina () apache org>
Date: Mon, 18 Dec 2017 12:35:21 +0200
*CVE-2017-12630 Apache Drill XSS vulnerability* *Severity*: Important *Vendor:* The Apache Software Foundation *Versions Affected:* Apache Drill 1.11.0 and earlier *Description* In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: After submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards. *Mitigation:* Users of the affected versions should upgrade to Apache Drill to 1.12.0 and later. *Credit:* Sanjog Panda Kind regards Arina
Current thread:
- [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability Arina Ielchiieva (Dec 18)