Cross-Site Scripting Vulnerability in Apache Zeppelin by Apache
CVE-2024-41177

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Zeppelin
Vendor: CVE Published:; 3 August 2025

🔔 Create Apache Vulnerability Alert

What is CVE-2024-41177?

An incomplete blacklist vulnerability in Apache Zeppelin can be exploited to execute unauthorized scripts in the user's browser session. This flaw affects versions prior to 0.12.0, and users are strongly encouraged to upgrade to this latest version to rectify the vulnerability and enhance their application's security posture.

Affected Version(s)

Apache Zeppelin 0 < 0.12.0

References

https://github.com/apache/zeppelin/pull/4755

https://github.com/apache/zeppelin/pull/4795

https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbdd...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 3, 2025
Vulnerability Reserved
Jul 17, 2024

Credit

H Ming

.

CVE-2024-41177 : Cross-Site Scripting Vulnerability in Apache Zeppelin by Apache