In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
{
"cpe": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.10.15"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}