Stored XSS Vulnerability in Apache Zeppelin Affecting Version Prior to 0.8.0
CVE-2018-1328

6.1MEDIUM

Key Information:

Vendor
Apache
Status
Apache Zeppelin
Vendor
CVE Published:
23 April 2019

Summary

Apache Zeppelin versions prior to 0.8.0 are susceptible to a stored cross-site scripting (XSS) vulnerability. This issue arises from inadequate validation on Note permissions, allowing an attacker to inject malicious scripts that could execute in the context of a user's session. This vulnerability could lead to unauthorized data exposure and manipulation, compromising the integrity of the application and the confidentiality of user information. It is crucial for users of affected versions to update to 0.8.0 or later to mitigate the risks associated with this vulnerability.

Affected Version(s)

Apache Zeppelin prior to 0.8.0

References

https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b...
mailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/04/23/1
mailing-listx_refsource_MLIST
https://zeppelin.apache.org/releases/zeppelin-release-0.8...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.