Опубликовано: 24 мая 2022
Источник: github
Github: Прошло ревью
CVSS4: 5.1
CVSS3: 5.4
Описание
Apache Superset Cross-site Scripting (XSS) vulnerability on the Explore page
Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-32609
- https://github.com/advisories/GHSA-f8vc-f28w-x9c9
- https://github.com/apache/superset
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-377.yaml
- https://lists.apache.org/thread.html/r2c09254e98b4f8b3deb422762bd0e2aa6d743b72d96c2f90cbaae31a%40%3Cdev.superset.apache.org%3E
Пакеты
Наименование
apache-superset
pip
Затронутые версииВерсия исправления
< 1.2.0
1.2.0
Связанные уязвимости
CVSS3: 5.4
nvd
больше 4 лет назад
Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.