EPSS
Percentile
31.6%
spark-core is vulnerable to cross-site scripting (XSS) attacks. The attacks are possible because it does not use the stripXSS() function in the pages calling request.getParameter() in UIUtils.
stripXSS()
request.getParameter()
UIUtils
seclists.org/oss-sec/2017/q3/122
github.com/apache/spark/pull/17686
github.com/apache/spark/pull/19528
issues.apache.org/jira/browse/SPARK-20393