Cross-Site Scripting (XSS)

org.apache.zeppelin, zeppelin-web is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to an incomplete blacklist of user input, which allows an attacker to inject malicious scripts and execute them in a victim’s browser...

Cross-site Scripting (XSS)

Overview org.apache.zeppelin:zeppelin-web is a web-based notebook. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient input validation in the Helium module. An attacker can execute arbitrary scripts in the context of the user's browser by injecting...

Cross Site Request Forgery (CSRF)

org.apache.zeppelin: zeppelin-web is vulnerable to Cross Site Request Forgery CSRF. The vulnerability is due to inadequate validation of requests, which allows an attacker to submit malicious requests via phishing...

Cross-site Scripting (XSS)

zeppelin-web is vulnerable to cross-site scripting. The vulnerability exists because the WebsocketEventFactory function in websocket-event.factory.js does not properly escape the message attribute before being rendered, allowing an attacker to inject and execute malicious JavaScript...