Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
ApacheSuperset

17 matches found

CVE
CVEadded 2023/09/06 1:15 p.m.2499 views

CVE-2023-36388

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.

5.4CVSS5.2AI score0.00159EPSS
CVE
CVEadded 2023/09/06 1:15 p.m.2488 views

CVE-2023-36387

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

5.4CVSS5.3AI score0.00027EPSS
CVE
CVEadded 2024/02/28 12:15 p.m.93 views

CVE-2024-26016

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subj...

5.4CVSS4.9AI score0.0017EPSS
CVE
CVEadded 2019/12/16 10:15 p.m.84 views

CVE-2019-12413

In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query.

5.3CVSS5AI score0.0067EPSS
CVE
CVEadded 2021/03/05 12:15 p.m.71 views

CVE-2021-27907

Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javas...

5.4CVSS5.3AI score0.02922EPSS
CVE
CVEadded 2019/12/16 10:15 p.m.68 views

CVE-2019-12414

In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab

5.3CVSS5AI score0.00145EPSS
CVE
CVEadded 2021/10/18 3:15 p.m.65 views

CVE-2021-32609

Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.

5.4CVSS5.3AI score0.11688EPSS
CVE
CVEadded 2023/01/16 11:15 a.m.64 views

CVE-2022-45438

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.3CVSS5.2AI score0.0025EPSS
CVE
CVEadded 2023/01/16 11:15 a.m.60 views

CVE-2022-43721

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4CVSS5.2AI score0.00236EPSS
CVE
CVEadded 2024/12/09 2:15 p.m.60 views

CVE-2024-53948

Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

5.3CVSS6.5AI score0.00267EPSS
CVE
CVEadded 2023/01/16 11:15 a.m.59 views

CVE-2022-43717

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4CVSS5.1AI score0.00406EPSS
CVE
CVEadded 2023/01/16 11:15 a.m.58 views

CVE-2022-41703

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature ...

5.4CVSS5.4AI score0.00146EPSS
CVE
CVEadded 2023/01/16 11:15 a.m.57 views

CVE-2022-43718

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4CVSS5.1AI score0.01028EPSS
CVE
CVEadded 2023/01/16 11:15 a.m.57 views

CVE-2022-43720

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and ...

5.4CVSS5.3AI score0.00421EPSS
CVE
CVEadded 2023/11/27 11:15 a.m.39 views

CVE-2023-43701

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superse...

5.4CVSS4.9AI score0.00177EPSS
CVE
CVEadded 2023/09/06 1:15 p.m.36 views

CVE-2023-27523

Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.

5CVSS4.6AI score0.00086EPSS
CVE
CVEadded 2023/11/28 5:15 p.m.34 views

CVE-2023-42502

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

5.4CVSS4.9AI score0.00091EPSS