CVE-2022-43720

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache Superset versions 1.5.2 and prior Apache Superset version 2.0.0

Description An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record.

Recommendations For Apache Superset versions 1.5.2 and prior, update to a version that fixes this issue. For Apache Superset version 2.0.0, update to a version that fixes this issue. As a temporary workaround, consider restricting write CSS template permissions to minimize the risk of exploitation.

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

BIT-SUPERSET-2022-43720

CVE-2022-43720

GHSA-FPMR-QMGH-42X2

Affected Products

Apache Superset

CVE-2022-43720

Weakness Enumeration

Related Identifiers

Affected Products

References · 8