Multiple stored XSS in RBAC Admin screens in Apache Airflow · CVE-2020-11983 · GitHub Advisory Database · GitHub

Multiple stored XSS in RBAC Admin screens in Apache Airflow

Moderate severity GitHub Reviewed Published Jul 27, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

apache-airflow (pip)

Affected versions

< 1.10.11

Patched versions

1.10.11

Description

An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.

References

Reviewed Jul 27, 2020

Published to the GitHub Advisory Database Jul 27, 2020

Last updated Jan 9, 2023

Severity

Moderate

5.4

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N