CVE-2023-49657

23.01.2024, 15:15

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3.An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.

For 2.X versions, users should change their config to include:

TALISMAN_CONFIG = {
  "content_security_policy": {
    "base-uri": ["'self'"],
    "default-src": ["'self'"],
    "img-src": ["'self'", "blob:", "data:"],
    "worker-src": ["'self'", "blob:"],
    "connect-src": [
      "'self'",
      " https://api.mapbox.com" https://api.mapbox.com" ;,
      " https://events.mapbox.com" https://events.mapbox.com" ;,
    ],
    "object-src": "'none'",
    "style-src": [
      "'self'",
      "'unsafe-inline'",
    ],
    "script-src": ["'self'", "'strict-dynamic'"],
  },
  "content_security_policy_nonce_in": ["script-src"],
  "force_https": False,
  "session_cookie_secure": False,
}

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.6 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
apache	CNA	9.6 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
apache	superset	𝑥 < 3.0.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx