Note:
This project will be discontinued after December 13, 2021. [more]
2017-12-18
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.
Products | Drill |
Type | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) |
First patch | - None (likely due to unavailable code) |
Links | https://lists.apache.org/thread.html/608658a55d09e16542db41121a0a972c97448214cdc04071fd4db923%40%3Cdev.drill.apache.org%3E |