CVE-2017-12630

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Drill
Vendor: CVE Published:; 18 December 2017

Summary

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

Affected Version(s)

Apache Drill 1.11.0 and earlier

References

https://lists.apache.org/thread.html/608658a55d09e16542db...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 18, 2017
Vulnerability Reserved
Aug 7, 2017