CVE-2017-12630

MEDIUM

Apache Drill < 1.11.0 - Stored Cross-Site Scripting via Query Page Form Submission

Title source: llm

Description

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

References (1)

Core 1

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/608658a55d09e16542db41121a0a972c97448214cdc04071fd4db923%40%3Cdev.drill.apache.org%3E

Scores

CVSS v3 5.4

EPSS 0.0072

EPSS Percentile 72.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

apache/drill < 1.11.0

Apache Software Foundation/Apache Drill 1.11.0 and earlier

org.apache.drill/drill-common 0 - 1.12.0Maven

Published Dec 18, 2017

Tracked Since Feb 18, 2026