Cross-Site Scripting Vulnerability in Apache Drill by Apache
CVE-2017-12630

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Drill
Vendor: CVE Published:; 18 December 2017

Summary

In Apache Drill 1.11.0 and earlier, a Cross-Site Scripting (XSS) vulnerability exists when users submit forms from the Query page. This flaw allows malicious individuals to inject arbitrary HTML or scripts, which can later be executed when the Profile page is accessed. For instance, an attacker could submit a script designed to retrieve cookie information, enabling them to extract sensitive data from the Profile page, thus compromising user accounts and data integrity.

Affected Version(s)

Apache Drill 1.11.0 and earlier

References

https://lists.apache.org/thread.html/608658a55d09e16542db...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 18, 2017
Vulnerability Reserved
Aug 7, 2017