Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAC1ju523-hOdd3tO1xkqZyxyvPVwM+CFETec2c14wrVa6K6hVg@mail.gmail.com>
Date: Mon, 18 Dec 2017 12:35:21 +0200
From: Arina Ielchiieva <arina@...che.org>
To: user <user@...ll.apache.org>, dev@...ll.apache.org, 
	Sanjog <sanjogpandasp@...il.com>, security <security@...che.org>, 
	oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2017-12630 Apache Drill XSS vulnerability

*CVE-2017-12630 Apache Drill XSS vulnerability*

*Severity*: Important

*Vendor:* The Apache Software Foundation

*Versions Affected:*
Apache Drill 1.11.0 and earlier

*Description*
In Apache Drill 1.11.0 and earlier when submitting form from Query page
users are able to pass arbitrary script or HTML which will take effect on
Profile page afterwards.

Example:
After submitting special script that returns cookie information from Query
page, malicious user may obtain this information from Profile page
afterwards.

*Mitigation:*
Users of the affected versions should upgrade to Apache Drill to 1.12.0 and
later.

*Credit:*
Sanjog Panda

Kind regards
Arina

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.