CVE-2017-12630 – org.apache.drill:drill-common

Package

Manager: maven
Name: org.apache.drill:drill-common
Vulnerable Version: >=0 <1.12.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0072 pctl0.7162

Details

Apache Drill vulnerable to Cross-site Scripting In Apache Drill 1.11.0 and earlier, when submitting form from Query page, users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

Metadata

Created: 2022-05-14T03:53:41Z
Modified: 2022-11-08T12:41:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xp4g-5xj6-6vpr/GHSA-xp4g-5xj6-6vpr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xp4g-5xj6-6vpr
Finding: F425
Auto approve: 1