CVE-2021-27907

CWE-79Cross-site Scripting (XSS)7 documents5 sources
Severity
5.4MEDIUM
EPSS
4.3%
top 11.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedMar 5
Latest updateJan 17

Description

Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

PyPIapache-superset< 0.38.1
NVDapache/superset0.38.0
CVEListV5apache_software_foundation/apache_supersetApache Superset0.38.0

🔴Vulnerability Details

4
GHSA
Apache Superset Stored XSS on Dashboard markdown2022-05-24
OSV
Apache Superset Stored XSS on Dashboard markdown2022-05-24
OSV
CVE-2021-27907: Apache Superset up to and including 02021-03-05
CVEList
Apache Superset stored XSS on Dashboard markdown2021-03-05

🔍Detection Rules

2
Suricata
ET WEB_SPECIFIC_APPS Apache Superset Markdown Component Stored Cross-Site Scripting (CVE-2021-27907) M22025-01-17
Suricata
ET WEB_SPECIFIC_APPS Apache Superset Markdown Component Stored Cross-Site Scripting (CVE-2021-27907) M12025-01-17
CVE-2021-27907 (MEDIUM CVSS 5.4) | Apache Superset up to and including | cvebase.io