Lucene search

GitHub Advisory DatabaseGHSA-9F88-WG5R-947J

HistoryJan 16, 2023 - 12:30 p.m.

Apache Superset vulnerable to Cross-site Scripting

2023-01-1612:30:18

CWE-79

GitHub Advisory Database

github.com

apache superset

xss vulnerability

dashboard rendering

markdown components

authenticated users

create dashboard permissions

software

security issue

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.6%

JSON

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected configurations

Vulners

Node

apachesupersetMatch2.0.0

apachesupersetRange≤1.5.2

VendorProductVersionCPE
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:*:*:*:*:*:*:*
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:::::::*
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

github.com/advisories/GHSA-9f88-wg5r-947j

lists.apache.org/thread/g6zy6vkpvkbj5mj32vmyzwol5ldtg9pl

nvd.nist.gov/vuln/detail/CVE-2022-43717