CVE-2017-15092 — Cross-site Scripting in Recursor

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 99.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Powerdns Recursor Powerdns Recursor

Timeline

PublishedJan 23

Latest updateMay 13

Description

A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDpowerdns/recursor4.0.0 — 4.0.6

▶CVEListV5powerdns/powerdns_recursorfrom 4.0.0 up to and including 4.0.6

Patches

Patch: doc.powerdns.com ↗Patch: doc.powerdns.com ↗

🔴Vulnerability Details

GHSA

GHSA-5v6v-h944-2g93: A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4↗2022-05-13

▶

CVEList

CVE-2017-15092: A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4↗2018-01-23

▶

OSV

CVE-2017-15092: A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4↗2018-01-23

▶

📋Vendor Advisories

Debian

CVE-2017-15092: pdns-recursor - A cross-site scripting issue has been found in the web interface of PowerDNS Rec...↗2017

▶

💬Community

Bugzilla

CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 CVE-2017-15120 pdns-recursor: various flaws [epel-all]↗2017-12-11

▶

Bugzilla

CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 pdns-recursor: 4.0.7 release fixing security issues↗2017-12-11

▶