CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43982 – Apache Airflow prior to 2.4.2 allows reflected XSS via Origin Query Argument in URL
https://notcve.org/view.php?id=CVE-2022-43982
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. En las versiones de Apache Airflow anteriores a la 2.4.2, la pantalla "Trigger DAG with config" era susceptible a ataques XSS a través del argumento de consulta "origin". • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43985 – Apache Airflow prior to 2.4.2 has an open redirect
https://notcve.org/view.php?id=CVE-2022-43985
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. En las versiones de Apache Airflow anteriores a la 2.4.2, había una redirección abierta en el punto final `/confirm` del servidor web. • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41672 – Session still functional after user is deactivated
https://notcve.org/view.php?id=CVE-2022-41672
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. En Apache Airflow, versiones anteriores a 2.4.1, desactivar un usuario no impedía que un usuario ya autenticado pudiera seguir usando la Interfaz de Usuario o la API • https://github.com/apache/airflow/pull/26635 https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y • CWE-613: Insufficient Session Expiration •