Date: Mon, 18 Dec 2017 12:35:21 +0200 From: Arina Ielchiieva <arina@...che.org> To: user <user@...ll.apache.org>, dev@...ll.apache.org, Sanjog <sanjogpandasp@...il.com>, security <security@...che.org>, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability *CVE-2017-12630 Apache Drill XSS vulnerability* *Severity*: Important *Vendor:* The Apache Software Foundation *Versions Affected:* Apache Drill 1.11.0 and earlier *Description* In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: After submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards. *Mitigation:* Users of the affected versions should upgrade to Apache Drill to 1.12.0 and later. *Credit:* Sanjog Panda Kind regards Arina
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.