[ https://issues.apache.org/jira/browse/AIRFLOW-1617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16571789#comment-16571789 ]
Bolke de Bruin commented on AIRFLOW-1617: ----------------------------------------- Yes it does. > XSS Vulnerability in Variable endpoint > -------------------------------------- > > Key: AIRFLOW-1617 > URL: https://issues.apache.org/jira/browse/AIRFLOW-1617 > Project: Apache Airflow > Issue Type: Bug > Components: webserver > Affects Versions: 1.8.2 > Reporter: Bolke de Bruin > Priority: Critical > Labels: security > Fix For: 1.9.0 > > > Variable view has an XSS vulnerability when the Variable template does not > exist. The input is returned to the user as is, without escaping. > Original report by Seth Long. CVE is pending -- This message was sent by Atlassian JIRA (v7.6.3#76005)