Lucene search
Veracode Vulnerability DatabaseVERACODE:38525HistoryDec 19, 2022 - 4:31 a.m.
Cross-site Scripting (XSS)
2022-12-1904:31:12
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
13
zeppelin-web
xss
websocketeventfactory
vulnerability
javascript
EPSS
0.001
Percentile
48.9%
zeppelin-web is vulnerable to cross-site scripting. The vulnerability exists because the WebsocketEventFactory function in websocket-event.factory.js does not properly escape the message attribute before being rendered, allowing an attacker to inject and execute malicious JavaScript.
References
github.com/apache/zeppelin/commit/c8eabde13f226fd0647c623e6eb67170768d02d1
github.com/apache/zeppelin/pull/3452
issues.apache.org/jira/browse/ZEPPELIN-4333
issues.apache.org/jira/browse/ZEPPELIN-4335
lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc
www.mail-archive.com/[email protected]/msg07820.html
Related
osv
osv
CVE-2022-46870
2022-12-16 13:15:09
Apache Zeppelin Cross-site Scripting vulnerability
2022-12-20 21:30:19
cve
cve
CVE-2022-46870
2022-12-16 13:15:09
cnvd
cnvd
Apache Zeppelin Cross-Site Scripting Vulnerability (CNVD-2022-89420)
2022-12-20 00:00:00
cvelist
cvelist
CVE-2022-46870 Apache Zeppelin: Stored XSS in note permissions
2022-12-16 12:55:37
nvd
nvd
CVE-2022-46870
2022-12-16 13:15:09
prion
prion
Cross site scripting
2022-12-16 13:15:00
github
github
Apache Zeppelin Cross-site Scripting vulnerability
2022-12-20 21:30:19