Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Dec 2017 12:35:21 +0200
From: Arina Ielchiieva <arina@...che.org>
To: user <user@...ll.apache.org>, dev@...ll.apache.org, 
	Sanjog <sanjogpandasp@...il.com>, security <security@...che.org>, 
	oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability

*CVE-2017-12630 Apache Drill XSS vulnerability*

*Severity*: Important

*Vendor:* The Apache Software Foundation

*Versions Affected:*
Apache Drill 1.11.0 and earlier

*Description*
In Apache Drill 1.11.0 and earlier when submitting form from Query page
users are able to pass arbitrary script or HTML which will take effect on
Profile page afterwards.

Example:
After submitting special script that returns cookie information from Query
page, malicious user may obtain this information from Profile page
afterwards.

*Mitigation:*
Users of the affected versions should upgrade to Apache Drill to 1.12.0 and
later.

*Credit:*
Sanjog Panda

Kind regards
Arina

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ