CVE-2023-43701 — Cross-site Scripting in Software Foundation Apache Superset

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.3

EPSS

0.2%

top 59.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedNov 27

Description

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/superset< 2.1.2

▶CVEListV5apache_software_foundation/apache_superset< 2.1.2

🔴Vulnerability Details

CVEList

Apache Superset: Stored XSS on API endpoint↗2023-11-27

▶

OSV

Apache Superset Cross-site Scripting vulnerability↗2023-11-27

▶

GHSA

Apache Superset Cross-site Scripting vulnerability↗2023-11-27

▶