Upstream information

CVE-2017-15092 at MITRE

Description

A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entry: 1069242 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.2
  • pdns-recursor >= 3.7.3-9.3.1
  • pdns-recursor-debuginfo >= 3.7.3-9.3.1
  • pdns-recursor-debugsource >= 3.7.3-9.3.1
Patchnames:
openSUSE-2017-1339
openSUSE Leap 42.3
  • pdns-recursor >= 4.0.5-3.1
  • pdns-recursor-debuginfo >= 4.0.5-3.1
  • pdns-recursor-debugsource >= 4.0.5-3.1
Patchnames:
openSUSE-2017-1339