CVE-2023-49657 — Cross-site Scripting in Software Foundation Apache Superset

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA9.6

EPSS

0.4%

top 39.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedJan 23

Description

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = { "content_security_policy": { "base-uri": ["'self'"], "default-src": ["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "con…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/superset< 3.0.3

▶CVEListV5apache_software_foundation/apache_superset< 3.0.3

🔴Vulnerability Details

GHSA

Cross-site Scripting in Apache superset↗2024-01-23

▶

OSV

Cross-site Scripting in Apache superset↗2024-01-23

▶

CVEList

Apache Superset: Stored XSS in Dashboard Title and Chart Title↗2024-01-23

▶