{"id":"GHSA-rwhh-6x83-84v6","summary":"Cross-site Scripting in Apache superset","details":"A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.\n\nFor 2.X versions, users should change their config to include:\n\nTALISMAN_CONFIG = {\n    \"content_security_policy\": {\n        \"base-uri\": [\"'self'\"],\n        \"default-src\": [\"'self'\"],\n        \"img-src\": [\"'self'\", \"blob:\", \"data:\"],\n        \"worker-src\": [\"'self'\", \"blob:\"],\n        \"connect-src\": [\n            \"'self'\",\n            \" https://api.mapbox.com\" https://api.mapbox.com\" ;,\n            \" https://events.mapbox.com\" https://events.mapbox.com\" ;,\n        ],\n        \"object-src\": \"'none'\",\n        \"style-src\": [\n            \"'self'\",\n            \"'unsafe-inline'\",\n        ],\n        \"script-src\": [\"'self'\", \"'strict-dynamic'\"],\n    },\n    \"content_security_policy_nonce_in\": [\"script-src\"],\n    \"force_https\": False,\n    \"session_cookie_secure\": False,\n}","aliases":["BIT-superset-2023-49657","CVE-2023-49657"],"modified":"2025-02-05T09:11:51.290316Z","published":"2024-01-23T15:30:58Z","database_specific":{"cwe_ids":["CWE-79"],"github_reviewed":true,"nvd_published_at":"2024-01-23T15:15:11Z","severity":"CRITICAL","github_reviewed_at":"2024-01-23T20:10:58Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49657"},{"type":"PACKAGE","url":"https://github.com/apache/superset"},{"type":"WEB","url":"https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/01/23/5"}],"affected":[{"package":{"name":"apache-superset","ecosystem":"PyPI","purl":"pkg:pypi/apache-superset"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.3"}]}],"versions":["0.34.0","0.34.1","0.35.1","0.35.2","0.36.0","0.37.0","0.37.1","0.37.2","0.38.0","0.38.1","1.0.0","1.0.1","1.1.0","1.2.0","1.3.0","1.3.1","1.3.2","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.5.3","2.0.0","2.0.1","2.1.0","2.1.1","2.1.1rc1","2.1.1rc2","2.1.1rc3","2.1.2","2.1.3","3.0.0","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.0rc4","3.0.1","3.0.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rwhh-6x83-84v6/GHSA-rwhh-6x83-84v6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}]}