Pedro Sousa

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions prior to 6.0.0 **Description** An issue exists in Apache Superset that allows an authenticated user with read access to conduct error-based SQL injection. This is due to improper neutralization of special elements used in a SQL command. The issue can be triggered via the `sqlExpression` or `where` parameters. **Recommendations** Upgrade to version 6.0.0 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 5.0.0 Description: A stored Cross-Site Scripting (XSS) issue exists in the chart visualization feature. An authenticated user with chart editing permissions can inject a malicious payload into a column's label. This payload is not properly sanitized and is executed in the victim's browser when hovering over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. Recommendations: Upgrade to version 5.0.0.

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 4.1.3 Description: A guest user accessing a chart in Apache Superset receives an API response from the `/chart/data` endpoint that includes a `query` field. This field improperly discloses database schema information, such as table names, to the low-privileged guest user. Recommendations: Upgrade to version 4.1.3.

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 5.0.0 Description: A bypass of the `DISALLOWED SQL FUNCTIONS` security feature allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, potentially leading to the disclosure of sensitive database information, such as the software version. Recommendations: Upgrade to version 5.0.0.

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 5.0.0 Description: Apache Superset contains an improper access control issue in its `/explore` endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the `datasource id` in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. Recommendations: Upgrade to version 5.0.0.

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions prior to 4.1.2 **Description** An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into `sqlExpression` fields. This allowed the execution of sub-queries to evade parsing defenses, ultimately granting unauthorized access to data. **Recommendations** For Apache Superset versions prior to 4.1.2, update to version 4.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the `sqlExpression` fields to minimize the risk of exploitation.