Apache Superset 2.0.0 Remote Code Execution Exploit

Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their userid to that of an administrator, and re-sign the cooki...