oss-sec mailing list archives
Re: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title
From: Christian Fischer <christian.fischer () greenbone net>
Date: Tue, 23 Jan 2024 16:45:39 +0100
Hi, On 23.01.24 14:18, Daniel Gaspar wrote:
Affected versions: - Apache Superset through 3.0.3 *snip* in Apache Superset before 3.0.3
it seems there is some inconsistency in the affected / fixed versions mentioned here, in [1] as well as in the following part of the CVE entry [2]:
> affected from 0 through 3.0.3While [3] doesn't list this CVE yet it seems 3.0.3 is the actual fixed version as [4] mentions a relevant entry around an XSS in a "Dashboard":
> #21822 fix(dashboard): Prevent XSS attack vector (@agl-developer) which links to [5] as the relevant PR. [1] https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx [2] https://www.cve.org/CVERecord?id=CVE-2023-49657 [3] https://superset.apache.org/docs/security/cves/[4] https://github.com/apache/superset/blob/3.0.3/CHANGELOG.md#303-tue-jan-9-164807-2023--0300
[5] https://github.com/apache/superset/pull/21822 Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone AG, Neumarkt 12, 49074 Osnabrück, Germany https://www.greenbone.net/ Company registry: Amtsgericht Osnabrück, HRB 218768 Board of directors: Dr. Jan-Oliver Wagner (CEO), Elmar Geese Chairman of the Supervisory Board: Lukas Grunwald
Current thread:
- CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Daniel Gaspar (Jan 23)
- Re: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Christian Fischer (Jan 23)