CVE-2021-27907

Name of the Vulnerable Software and Affected Versions: Apache Superset versions up to and including 0.38.0

Description: The issue allows a malicious user to inject javascript code, executing unwanted actions in the context of the user's browser, by creating a Markdown component on a Dashboard page. This is achieved by creating a "div" section and embedding in it an "svg" element with javascript code. The injected javascript code will be automatically executed when a legitimate user visits the dashboard page, resulting in a Stored XSS attack.

Recommendations: For Apache Superset versions up to and including 0.38.0, consider disabling the Markdown component on Dashboard pages until a patch is available to prevent the injection of malicious javascript code. Restrict access to the Dashboard page to minimize the risk of exploitation. Avoid using the "div" section and "svg" element in the Markdown component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.