CVE-2023-49299: 
Java vulnerability analysis and mitigation

A critical Improper Input Validation vulnerability (CVE-2023-49299) was discovered in Apache DolphinScheduler affecting versions up to 3.1.9. The vulnerability allows authenticated users to execute arbitrary, unsandboxed JavaScript on the server (NVD, SecurityOnline).

The vulnerability is classified as CWE-20 (Improper Input Validation) and has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated users to execute arbitrary, unsandboxed JavaScript code on the server, potentially leading to system compromise, data manipulation, or service disruption. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability (SecurityOnline).

Users are strongly recommended to upgrade to Apache DolphinScheduler version 3.1.9, which contains the fix for this vulnerability. It's worth noting that this vulnerability was later found to be incompletely fixed and required additional patching in version 3.2.1 as documented in CVE-2024-23320 (OpenWall).