Site icon API Security Blog

Internet Bug Bounty: CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link

image
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. I reported this vulnerability through the official Apache Airflow security email on July 21, 2024, and received a fix along with a CVE number on August 21, 2024. this is screenshot of email and ASF response email I submitted ███ █████ ███████ Impact Stored xss vulnerability can execute arbitrary xss and steal user…Read More

Exit mobile version