In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

packagechannelchannel versionpkg versionstatus
2020-05-19 15:55:23 UTC (0f5ce2)0.6.0vulnerable
2020-05-17 05:35:10 UTC (b47873)0.6.0vulnerable
2020-05-16 06:35:37 UTC (32b8ed)0.6.0vulnerable
2020-05-14 10:45:36 UTC (8ba41a)0.6.0vulnerable
2020-05-14 05:55:25 UTC (9a29fe)0.6.0vulnerable
2020-05-12 12:30:34 UTC (683c68)0.6.0vulnerable