Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Advisories: GSA_kwCzR0hTQS1mcG1yLXFtZ2gtNDJ4Ms4AAw_p

Apache Superset vulnerable to Injection

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Permalink: https://github.com/advisories/GHSA-fpmr-qmgh-42x2

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 22 days ago
Updated: 14 days ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-fpmr-qmgh-42x2, CVE-2022-43720
References:

Affected Packages

pypi:apache-superset
Versions: = 2.0.0, <= 1.5.2
No known fixed version