GHSA-rwhh-6x83-84v6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rwhh-6x83-84v6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rwhh-6x83-84v6/GHSA-rwhh-6x83-84v6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rwhh-6x83-84v6
- Aliases
- Published
- 2024-01-23T15:30:58Z
- Modified
- 2024-01-29T19:16:26.492508Z
- Severity
-
- 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Cross-site Scripting in Apache superset
- Details
-
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.
For 2.X versions, users should change their config to include:
TALISMANCONFIG = { "contentsecuritypolicy": { "base-uri": ["'self'"], "default-src": ["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": [ "'self'", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com" https://events.mapbox.com" ;, ], "object-src": "'none'", "style-src": [ "'self'", "'unsafe-inline'", ], "script-src": ["'self'", "'strict-dynamic'"], }, "contentsecuritypolicynoncein": ["script-src"], "forcehttps": False, "sessioncookiesecure": False, }
- Database specific
{ "nvd_published_at": "2024-01-23T15:15:11Z", "cwe_ids": [ "CWE-79" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-01-23T20:10:58Z" }- References
Affected packages
PyPI / apache-superset
Package
- Name
- apache-superset
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-superset
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.0.3