CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link Severity: low Affected versions: - Apache Airflow before 2.10.0 Description: Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. Credit: sw0rd1ight (https://github.com/sw0rd1ight) (finder) Amogh Desai (remediation developer) Full Security Advisory: https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d

Actions:

View on HackerOne

Reported by sw0rd1ight

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Stored

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. I reported this vulnerability through the official Apache Airflow security email on July 21, 2024, and received a fix along with a CVE number on August 21, 2024. this is screenshot of email and ASF response email I submitted ███ █████ ███████ ## Impact Stored xss vulnerability can execute arbitrary xss and steal user credentials

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$497.00

Submitted

Weakness

Cross-site Scripting (XSS) - Stored