[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability
From: Arina Ielchiieva <arina () apache ! org>
Date: 2017-12-18 10:35:21
Message-ID: CAC1ju523-hOdd3tO1xkqZyxyvPVwM+CFETec2c14wrVa6K6hVg () mail ! gmail ! com
[Download RAW message or body]
*CVE-2017-12630 Apache Drill XSS vulnerability*
*Severity*: Important
*Vendor:* The Apache Software Foundation
*Versions Affected:*
Apache Drill 1.11.0 and earlier
*Description*
In Apache Drill 1.11.0 and earlier when submitting form from Query page
users are able to pass arbitrary script or HTML which will take effect on
Profile page afterwards.
Example:
After submitting special script that returns cookie information from Query
page, malicious user may obtain this information from Profile page
afterwards.
*Mitigation:*
Users of the affected versions should upgrade to Apache Drill to 1.12.0 and
later.
*Credit:*
Sanjog Panda
Kind regards
Arina
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic