Apache Zeppelin before 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
apache zeppelin