CVE-2021-27907: Apache Superset stored XSS on Dashboard markdown

[daniel gaspar <danielvazgaspar () gmail com>]

Description:

Apache Superset  up to and including 0.38.0 allowed the creation of a
Markdown component on a Dashboard page for describing chart's related
information. Abusing this functionality, a malicious user could inject
javascript code executing unwanted action in the context of the user's
browser. The javascript code will be automatically executed (Stored
XSS) when a legitimate user surfs on the dashboard page. The
vulnerability is exploitable creating a “div” section and embedding in
it a “svg” element with javascript code.

Credit:

This issue was reported by Gianluca Veltri and Dario Castrogiovanni of Cuebiq