drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arina Ielchiieva <ar...@apache.org>
Subject [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability
Date Mon, 18 Dec 2017 10:35:21 GMT
*CVE-2017-12630 Apache Drill XSS vulnerability*

*Severity*: Important

*Vendor:* The Apache Software Foundation

*Versions Affected:*
Apache Drill 1.11.0 and earlier

*Description*
In Apache Drill 1.11.0 and earlier when submitting form from Query page
users are able to pass arbitrary script or HTML which will take effect on
Profile page afterwards.

Example:
After submitting special script that returns cookie information from Query
page, malicious user may obtain this information from Profile page
afterwards.

*Mitigation:*
Users of the affected versions should upgrade to Apache Drill to 1.12.0 and
later.

*Credit:*
Sanjog Panda

Kind regards
Arina

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message