CVE-2023-43701 MEDIUM

CVE-2023-43701: Apache Superset: Stored XSS on API endpoint

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-79 · XSS

Published November 27, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Key dates

Disclosure timeline

November 27, 2023 CVE published

August 2, 2024 Record updated