[ https://issues.apache.org/jira/browse/AIRFLOW-1617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16170478#comment-16170478 ]
ASF subversion and git services commented on AIRFLOW-1617: ---------------------------------------------------------- Commit e1a2d74c0045c9231f7a5365c956b8e048dd6af3 in incubator-airflow's branch refs/heads/v1-9-test from [~bolke] [ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=e1a2d74 ] [AIRFLOW-1617] Fix XSS vulnerability in Variable endpoint In case a Variable form was accessed by a get request and the form did not exist as a template, the input was returned as is to the user. Closes #2611 from bolkedebruin/xss_fix > XSS Vulnerability in Variable endpoint > -------------------------------------- > > Key: AIRFLOW-1617 > URL: https://issues.apache.org/jira/browse/AIRFLOW-1617 > Project: Apache Airflow > Issue Type: Bug > Components: webserver > Affects Versions: 1.8.2 > Reporter: Bolke de Bruin > Priority: Critical > Labels: security > Fix For: 1.9.0, 1.8.3 > > > Variable view has an XSS vulnerability when the Variable template does not > exist. The input is returned to the user as is, without escaping. > Original report by Seth Long. CVE is pending -- This message was sent by Atlassian JIRA (v6.4.14#64029)