MODERATE

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver’s /confirm endpoint.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-43985
https://github.com/apache/airflow/pull/27143
https://lists.apache.org/thread/m13y9s5…

A Cross-site Scripting vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
References

https://nvd.nist.gov/vuln/…

Impact
In Apollo Server 3 and 4, the cache-control HTTP response header may not reflect the cache policy that should apply to an HTTP request when that HTTP request contains multiple operations using HTTP batching. This could lead to data being inappro…

Impact
When a transaction contains a dep group with many cells, the resources required to process it are not linear to the transaction size nor spent script cycles.
Patches
In 0.43.3, nodes drop the transactions relayed to them when they contain a dep…

pyca/cryptography’s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. More details about the vulnerabilities themselves can be found in http…

A cross-site scripting vulnerability was found in an unknown function of the component Table Import Handler. The manipulation of the argument Import data leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been …

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned…

When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue.
References

https://nvd.nist.gov/vuln/detail/CVE-2…

node-red-dashboard contains a cross-site scripting vulnerability. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The attack may be initiated remotely. The iss…

If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request conta…