CVE-2020-11983Cross-site Scripting in Apache Airflow

CWE-79Cross-site Scripting5 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.4%
top 38.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache AirflowApache Software Foundation Apache Airflow
Timeline
PublishedJul 17
Latest updateJul 27

Description

An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_airflow1.10.10 and below
NVDapache/airflow1.10.10

🔴Vulnerability Details

4
GHSA
Multiple stored XSS in RBAC Admin screens in Apache Airflow2020-07-27
OSV
Multiple stored XSS in RBAC Admin screens in Apache Airflow2020-07-27
OSV
CVE-2020-11983: An issue was found in Apache Airflow versions 12020-07-17
CVEList
CVE-2020-11983: An issue was found in Apache Airflow versions 12020-07-16
CVE-2020-11983 — Cross-site Scripting in Apache Airflow | cvebase