CVE-2017-15092

NameCVE-2017-15092
DescriptionA cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns-recursor (PTS)jessie3.6.2-2+deb8u4fixed
jessie (security)3.6.2-2+deb8u3fixed
stretch (security), stretch4.0.4-1+deb9u3fixed
buster, sid4.1.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdns-recursorsource(unstable)4.0.7-1medium
pdns-recursorsourcejessie(not affected)
pdns-recursorsourcestretch4.0.4-1+deb9u2medium
pdns-recursorsourcewheezy(not affected)

Notes

[jessie] - pdns-recursor <not-affected> (Issue introduced in 4.0.0)
[wheezy] - pdns-recursor <not-affected> (Issue introduced in 4.0.0)
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html
https://downloads.powerdns.com/patches/2017-05/

Search for package or bug name: Reporting problems