CVE-2017-15092

NameCVE-2017-15092
DescriptionA cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns-recursor (PTS)buster, buster (security)4.1.11-1+deb10u1fixed
bullseye4.4.2-3fixed
bookworm4.8.4-1fixed
bookworm (security)4.8.7-1fixed
sid, trixie4.9.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdns-recursorsourcewheezy(not affected)
pdns-recursorsourcejessie(not affected)
pdns-recursorsourcestretch4.0.4-1+deb9u2
pdns-recursorsource(unstable)4.0.7-1

Notes

[jessie] - pdns-recursor <not-affected> (Issue introduced in 4.0.0)
[wheezy] - pdns-recursor <not-affected> (Issue introduced in 4.0.0)
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html
https://downloads.powerdns.com/patches/2017-05/

Search for package or bug name: Reporting problems