CVE-2022-43717

MEDIUM

Apache Superset < 1.5.2 and 2.0.0 - Authenticated Stored Cross-Site Scripting in Dashboard Markdown Components

Title source: llm
STIX 2.1

Description

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

References (1)

Core 1
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/g6zy6vkpvkbj5mj32vmyzwol5ldtg9pl

Scores

CVSS v3 5.4
EPSS 0.0150
EPSS Percentile 81.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
apache/superset 2.0.0 (3 CPE variants)
apache/superset < 1.5.2
pypi/apache-superset 0PyPI
Published Jan 16, 2023
Tracked Since Feb 18, 2026