{"id":"PYSEC-2020-17","details":"An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.","aliases":["BIT-airflow-2020-11983","CVE-2020-11983","GHSA-q4p3-qw5c-mhpc"],"modified":"2023-12-06T01:00:02.824210Z","published":"2020-07-17T00:15:00Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q4p3-qw5c-mhpc"}],"affected":[{"package":{"name":"apache-airflow","ecosystem":"PyPI","purl":"pkg:pypi/apache-airflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.11rc1"}]}],"versions":["1.8.1","1.8.2rc1","1.8.2","1.9.0","1.10.0","1.10.1b1","1.10.1rc2","1.10.1","1.10.2b2","1.10.2rc1","1.10.2rc2","1.10.2rc3","1.10.2","1.10.3b1","1.10.3b2","1.10.3rc1","1.10.3rc2","1.10.3","1.10.4b2","1.10.4rc1","1.10.4rc2","1.10.4rc3","1.10.4rc4","1.10.4rc5","1.10.4","1.10.5rc1","1.10.5","1.10.6rc1","1.10.6rc2","1.10.6","1.10.7rc1","1.10.7rc2","1.10.7rc3","1.10.7","1.10.8rc1","1.10.8","1.10.9rc1","1.10.9","1.10.10rc1","1.10.10rc2","1.10.10rc3","1.10.10rc4","1.10.10rc5","1.10.10"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2020-17.yaml"}}],"schema_version":"1.7.3"}