XSS in Apache Airflow
Moderate severity
GitHub Reviewed
Published
May 6, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
May 6, 2020
Published to the GitHub Advisory Database
May 6, 2020
Last updated
Jan 9, 2023
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
References