Saif Salah

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions prior to 4.1.2 **Description** Apache Superset uses a configurable dictionary, `DISALLOWED SQL FUNCTIONS`, to limit the execution of potentially sensitive SQL functions in SQL Lab and charts. A flaw exists because the default list for the ClickHouse engine was not comprehensive, allowing potentially harmful SQL functions to be executed. **Recommendations** Upgrade to version 4.1.2 to resolve the issue.