CVE-2017-12630
Apache Drill vulnerable to Cross-site Scripting
5.4
MEDIUM
CVSS 3.1
EPSS 0.72%
Description
In Apache Drill 1.11.0 and earlier, when submitting form from Query page, users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.
How to fix CVE-2017-12630
To remediate CVE-2017-12630, upgrade the affected package to a fixed version below.
- —upgrade to 1.12.0 or later
Is CVE-2017-12630 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.12.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |