CVE-2023-49657

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Jan 23, 2024

Updated: Jan 29, 2024

CWE ID 79

Summary

CVE-2023-49657 is a stored cross-site scripting (XSS) vulnerability affecting Apache Superset prior to version 3.0.3. With create/update permissions on charts or dashboards, an authenticated attacker can inject malicious scripts or HTML snippets, which are then executed as stored XSS. For Superset 2.X versions, it's recommended to update the config with a Content Security Policy that only allows sources from 'self' and specific trusted domains.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Apache Superset

Affected Vendors

Apache Software Foundation

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/tmmCqW
https://www.cve.org/CVERecord?id=CVE-2023-49657
https://nvd.nist.gov/vuln/detail/CVE-2023-49657

Back to Vulnerability Database