The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
{ "cpes": [ "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*" ], "severity": "Medium" }