spark-core is vulnerable to cross-site scripting (XSS). An attacker is able to inject arbitrary script into a user’s browser by constructing a URL that points to a Spark cluster’s job and stage information pages. When exploited, an attacker is able to steal the user’s credentials or information from the user’s view of the Spark UI.