Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters
Moderate severity
GitHub Reviewed
Published
Jul 8, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Jul 7, 2022
Published to the GitHub Advisory Database
Jul 8, 2022
Reviewed
Jul 8, 2022
Last updated
Jan 27, 2023
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. This issue is patched in version 0.23.0.
References