Apache Software Foundation Apache Superset vulnerabilities

CVE-2021-28125 [MEDIUM] CWE-601 CVE-2021-28125: Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

CVE-2021-27907 [MEDIUM] CWE-79 CVE-2021-27907: Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboa Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS

CVE-2020-1932 [MEDIUM] CVE-2020-1932: An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Aut An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.