CVE-2020-11983 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <1.10.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00411 pctl0.60613

Details

Multiple stored XSS in RBAC Admin screens in Apache Airflow An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.

Metadata

Created: 2020-07-27T16:57:25Z
Modified: 2024-09-11T19:55:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-q4p3-qw5c-mhpc/GHSA-q4p3-qw5c-mhpc.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-q4p3-qw5c-mhpc
Finding: F425
Auto approve: 1