CVE-2024-31868

MEDIUM

Apache Zeppelin 0.8.2-0.11.0 - Stored Cross-Site Scripting via helium.json

Title source: llm

Description

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/04/09/11

Issue Tracking, Patch patch

https://github.com/apache/zeppelin/pull/4728

Mailing List vendor-advisory

https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11

Scores

CVSS v3 6.1

EPSS 0.0151

EPSS Percentile 81.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

apache/zeppelin 0.8.2 - 0.11.1

org.apache.zeppelin/zeppelin-interpreter 0.8.2 - 0.11.1Maven

Published Apr 09, 2024

Tracked Since Feb 18, 2026