Apache Zeppelin: Stored XSS in note permissions
CVE-2022-46870

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Zeppelin
Vendor: CVE Published:; 16 December 2022

Summary

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

Affected Version(s)

Apache Zeppelin 0 < 0.8.2

References

https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrh...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 16, 2022
Vulnerability Reserved
Dec 9, 2022