Lucene search

GitHub Advisory DatabaseGHSA-WQ8Q-99P5-XFRW

HistoryNov 27, 2023 - 12:30 p.m.

Apache Superset Cross-site Scripting vulnerability

2023-11-2712:30:55

CWE-79

GitHub Advisory Database

github.com

apache superset

cross-site scripting

chart metadata

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.2%

JSON

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart’s metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Affected configurations

Vulners

Node

apachesupersetRange<2.1.2

CPENameOperatorVersion
apache-supersetlt2.1.2

CPE	Name	Operator	Version
	apache-superset	lt	2.1.2

References

www.openwall.com/lists/oss-security/2023/11/27/4

github.com/advisories/GHSA-wq8q-99p5-xfrw

lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892

nvd.nist.gov/vuln/detail/CVE-2023-43701