CVE-2022-43720

CVE-2022-43720: Apache Superset: Improper rendering of user input

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-74

Published January 16, 2023

Last update April 7, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Key dates

Disclosure timeline

January 16, 2023 CVE published

April 7, 2025 Record updated

Identifiers

CVE CVE-2022-43720

CWE CWE-74

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 2.0.0 and < 2.0.1

Vendor Apache Software Foundation

Product Apache Superset

Affected ≤ 1.5.2