H Ming

**Name of the Vulnerable Software and Affected Versions** Apache Zeppelin versions prior to 0.12.0 **Description** This issue is an incomplete blacklist leading to a Cross-Site Scripting (XSS) condition in Apache Zeppelin. **Recommendations** Upgrade to version 0.12.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Zeppelin versions 0.11.1 through 0.12.0 **Description** An improper input validation issue exists in Apache Zeppelin. The fix for JDBC URL validation did not account for URL encoded input. **Recommendations** Upgrade to version 0.12.0.

**Name of the Vulnerable Software and Affected Versions** Apache Zeppelin versions 0.8.2 through 0.11.0 **Description** The issue is related to improper encoding or escaping of output, allowing attackers to modify `helium.json` and perform cross-site scripting attacks on normal users. **Recommendations** For Apache Zeppelin versions 0.8.2 through 0.11.0, upgrade to version 0.11.1, which fixes the issue. As a temporary workaround, consider restricting access to the `helium.json` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.6.0 **Description** The issue is related to the deserialization of untrusted data, which allows attackers to bypass the `autoDeserialize` option filtering by adding blanks. This can potentially lead to the execution of arbitrary code. **Recommendations** To solve the issue, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7674.