CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title
First published: Tue Jan 23 2024(Updated: )
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = { "content_security_policy": { "base-uri": ["'self'"], "default-src": ["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": [ "'self'", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com" https://events.mapbox.com" ;, ], "object-src": "'none'", "style-src": [ "'self'", "'unsafe-inline'", ], "script-src": ["'self'", "'strict-dynamic'"], }, "content_security_policy_nonce_in": ["script-src"], "force_https": False, "session_cookie_secure": False, }
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-superset | <3.0.3 | 3.0.3 |
| Apache Superset | <3.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/oss-sec
- source/oss-sec
- alias/CVE-2023-49657
- agent/title
- agent/first-publish-date
- agent/weakness
- agent/type
- agent/author
- agent/references
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rwhh-6x83-84v6
- agent/description
- collector/nvd-cve
- agent/event
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- vendor/apache
- canonical/apache superset
- package-manager/pip