Hi Airflow community, Please find below the information about vulnerability which has been addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I would recommend users to upgrade to Airflow 1.10.14 (released yesterday):
*CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter* The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.12 did not fix the issue completely. Reported by Ali Al-Habsi of Accellion Thanks. Kaxil @ Airflow PMC
