CVE-2022-46870

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

12.9%

top 5.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Zeppelin Apache Zeppelin

Timeline

PublishedDec 16

Latest updateDec 20

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDapache/zeppelin< 0.8.2

▶Mavenorg.apache.zeppelin:zeppelin< 0.8.2

▶CVEListV5apache_software_foundation/apache_zeppelin< 0.8.2

🔴Vulnerability Details

OSV

Apache Zeppelin Cross-site Scripting vulnerability↗2022-12-20

▶

GHSA

Apache Zeppelin Cross-site Scripting vulnerability↗2022-12-20

▶

CVEList

Apache Zeppelin: Stored XSS in note permissions↗2022-12-16

▶