Arbitrary Script Injection Vulnerability in Apache Drill 1.11.0 and Earlier

Arbitrary Script Injection Vulnerability in Apache Drill 1.11.0 and Earlier

CVE-2017-12630 · LOW Severity

AV:N/AC:M/AU:S/C:N/I:P/A:N

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

Learn more about our Cis Benchmark Audit For Apache Http Server.