GHSA-xp4g-5xj6-6vpr

Suggest an improvement
Source
https://github.com/advisories/GHSA-xp4g-5xj6-6vpr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xp4g-5xj6-6vpr/GHSA-xp4g-5xj6-6vpr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xp4g-5xj6-6vpr
Aliases
  • CVE-2017-12630
Published
2022-05-14T03:53:41Z
Modified
2023-11-08T03:58:53.853793Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Apache Drill vulnerable to Cross-site Scripting
Details

In Apache Drill 1.11.0 and earlier, when submitting form from Query page, users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2022-11-08T12:41:04Z",
    "nvd_published_at": "2017-12-18T14:29:00Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Maven / org.apache.drill:drill-common

Package

Name
org.apache.drill:drill-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.drill/drill-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.0

Affected versions

1.*
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xp4g-5xj6-6vpr/GHSA-xp4g-5xj6-6vpr.json"