GHSA-wq8q-99p5-xfrw

Source

https://github.com/advisories/GHSA-wq8q-99p5-xfrw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wq8q-99p5-xfrw/GHSA-wq8q-99p5-xfrw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wq8q-99p5-xfrw

Aliases

Published

2023-11-27T12:30:55Z

Modified

2025-02-05T09:11:40.548494Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Apache Superset Cross-site Scripting vulnerability

Details

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Database specific

{
    "nvd_published_at": "2023-11-27T11:15:07Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T20:53:29Z"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.2

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1

2.1.0

2.1.1rc1

2.1.1rc2

2.1.1rc3

2.1.1