CVE-2017-15092

A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.

Published: Jan 23, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-15092
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
powerdns / recursor	4.0.0	4.0.6.x

http://www.securityfocus.com/bid/101982
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html

Vulnerability Database

289,599

CVE-2017-15092