CVE-2023-49657

2024-01-2315:15:11

CWE-79

[email protected]

web.nvd.nist.gov

apache superset

xss

cross-site scripting

vulnerability

security

configuration

cve-2023-49657

nvd

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

0.0005 Low

EPSS

Percentile

16.1%

JSON

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.

For 2.X versions, users should change their config to include:

TALISMAN_CONFIG = {
“content_security_policy”: {
“base-uri”: [“‘self’”],
“default-src”: [“‘self’”],
“img-src”: [“‘self’”, “blob:”, “data:”],
“worker-src”: [“‘self’”, “blob:”],
“connect-src”: [
“‘self’”,
" https://api.mapbox.com" https://api.mapbox.com" ;,
" https://events.mapbox.com" https://events.mapbox.com" ;,
],
“object-src”: “‘none’”,
“style-src”: [
“‘self’”,
“‘unsafe-inline’”,
],
“script-src”: [“‘self’”, “‘strict-dynamic’”],
},
“content_security_policy_nonce_in”: [“script-src”],
“force_https”: False,
“session_cookie_secure”: False,
}

Affected configurations

Vulners

NVD

Node

apachesupersetRange≤3.0.3

CPENameOperatorVersion
apache:supersetapache supersetlt3.0.3

CPE	Name	Operator	Version
apache:superset	apache superset	lt	3.0.3

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Superset",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.0.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]