zeppelin-web is vulnerable to cross-site scripting. The vulnerability exists because the WebsocketEventFactory
function in websocket-event.factory.js
does not properly escape the message
attribute before being rendered, allowing an attacker to inject and execute malicious JavaScript.
github.com/apache/zeppelin/commit/c8eabde13f226fd0647c623e6eb67170768d02d1
github.com/apache/zeppelin/pull/3452
issues.apache.org/jira/browse/ZEPPELIN-4333
issues.apache.org/jira/browse/ZEPPELIN-4335
lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc
www.mail-archive.com/[email protected]/msg07820.html