spark-core_2.12 is vulnerable to cross-site scripting. The vulnerability exists because the loadMore
function of log-view.js
does not properly escape the log content rendered in UI, allowing an attacker to inject and execute a malicious JavaScript payload into the logs.
www.openwall.com/lists/oss-security/2022/11/01/14
github.com/apache/spark/commit/07edae97342ae3095b370a3f780b61c94241e771
github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871ad
github.com/apache/spark/pull/36902
issues.apache.org/jira/browse/SPARK-39505
lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q