CVE-2022-43718

MEDIUM

Apache Superset <=1.5.2 and 2.0.0 - Authenticated Cross-Site Scripting in Upload Data Forms

Title source: llm
STIX 2.1

Description

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

References (1)

Core 1
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/8615608jt2x7b3rmqrtngldy8pn3nz2r

Scores

CVSS v3 5.4
EPSS 0.0050
EPSS Percentile 66.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
apache/superset 2.0.0 (3 CPE variants)
apache/superset < 1.5.2
pypi/apache-superset 0PyPI
Published Jan 16, 2023
Tracked Since Feb 18, 2026