Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.4
CVSSv3

CVE-2023-49657

Published: 23/01/2024 Updated: 29/01/2024
CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3
VMScore: 0

Vulnerability Summary

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset prior to 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = {     "content_security_policy": {         "base-uri": ["'self'"],         "default-src": ["'self'"],         "img-src": ["'self'", "blob:", "data:"],         "worker-src": ["'self'", "blob:"],         "connect-src": [             "'self'",             " api.mapbox.com" api.mapbox.com" ;,             " events.mapbox.com" events.mapbox.com" ;,         ],         "object-src": "'none'",         "style-src": [             "'self'",             "'unsafe-inline'",         ],         "script-src": ["'self'", "'strict-dynamic'"],     },     "content_security_policy_nonce_in": ["script-src"],     "force_https": False,     "session_cookie_secure": False, }

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache superset

Mailing Lists

Full Disclosure: Re: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title
Hi, On 230124 14:18, Daniel Gaspar wrote: > affected from 0 through 303 > #21822 fix(dashboard): Prevent XSS attack vector (@agl-developer) which links to [5] as the relevant PR [1] listsapacheorg/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx [2] wwwcveorg/CVERecord?id=CVE-2023-49657 [3] supersetapacheor ...
Full Disclosure: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title
Affected versions: - Apache Superset through 303 Description: A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 303 An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS For 2X versions, us ...

References

CWE-79https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvxhttps://nvd.nist.govhttps://seclists.org/oss-sec/2024/q1/43
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
path traversalCVE-2024-33545CVE-2024-35725CVE-2024-32704overflowfile uploadCVE-2024-0230CVE-2024-32705CVE-2024-23692
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook