CVE-2017-12630: Cross-site Scripting

December 18, 2017 (updated January 5, 2018)

In Apache Drill when submitting a form from the Query page, users are able to pass arbitrary script or HTML which will be rendered or executed on the Profile page. For example, after submitting script code that returns cookie information from the Query page, malicious users may obtain this information from the Profile page.

References

nvd.nist.gov/vuln/detail/CVE-2017-12630

Detect and mitigate CVE-2017-12630 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →