CVE-2021-32609 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <1.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.09674 pctl0.92604

Details

Apache Superset Cross-site Scripting (XSS) vulnerability on the Explore page Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.

Metadata

Created: 2022-05-24T19:17:47Z
Modified: 2024-09-12T21:16:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-f8vc-f28w-x9c9
Finding: F425
Auto approve: 1