CVE-2021-27907

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-27907
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27907.json
Aliases
Published
2021-03-05T12:15:12Z
Modified
2023-11-29T08:21:43.482749Z
Details

Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.

References

Affected packages

Git / github.com/apache/incubator-superset

Affected ranges

Type
GIT
Repo
https://github.com/apache/incubator-superset
Events
Introduced
0The exact introduced commit is unknown
Last affected
6d605c958a089f535fa685cc6a1b6cf8eb26e276
Type
GIT
Repo
https://github.com/apache/superset
Events
Introduced
0The exact introduced commit is unknown
Last affected
6d605c958a089f535fa685cc6a1b6cf8eb26e276

Affected versions

0.*

0.10.0
0.11.0
0.12.0
0.13.1
0.13.2
0.14.1
0.15.0
0.15.1
0.15.3
0.15.4
0.15.4.1
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.18.2
0.18.3
0.18.4
0.18.5
0.19.1
0.2.1
0.20.1
0.25-fork
0.29.0rc1
0.38.0
0.38.0rc1
0.38.0rc2
0.38.0rc3
0.38.0rc4
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.7.0
0.8.0
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.9.0
0.9.1

airbnb_prod.*

airbnb_prod.0.10.0.2
airbnb_prod.0.11.0.1
airbnb_prod.0.11.0.2
airbnb_prod.0.11.0.3
airbnb_prod.0.11.0.4
airbnb_prod.0.11.0.5
airbnb_prod.0.11.0.6
airbnb_prod.0.12.0.1
airbnb_prod.0.12.1.0
airbnb_prod.0.13.0.0
airbnb_prod.0.13.0.1
airbnb_prod.0.13.0.2
airbnb_prod.0.13.0.3
airbnb_prod.0.15.0.1
airbnb_prod.0.15.4.1
airbnb_prod.0.15.4.2
airbnb_prod.0.15.5.0

Other

dummy
rm
test_tag