Date: Mon, 18 Dec 2017 12:35:21 +0200 From: Arina Ielchiieva <arina@...che.org> To: user <user@...ll.apache.org>, dev@...ll.apache.org, Sanjog <sanjogpandasp@...il.com>, security <security@...che.org>, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability *CVE-2017-12630 Apache Drill XSS vulnerability* *Severity*: Important *Vendor:* The Apache Software Foundation *Versions Affected:* Apache Drill 1.11.0 and earlier *Description* In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: After submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards. *Mitigation:* Users of the affected versions should upgrade to Apache Drill to 1.12.0 and later. *Credit:* Sanjog Panda Kind regards Arina
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ