Apache Superset has patched a critical vulnerability that could lead to stored cross-site scripting attacks.
The vulnerability tracked as CVE-2023-49657, with a CVSS score of 9.6, is a stored cross-site scripting (XSS) vulnerability has carved a chilling notch on the bedpost of cyber threats. The vulnerability allows an authenticated attacker wielding create or update permissions on charts or dashboards to inject malicious scripts or specific HTML snippets. This attack vector could then execute unauthorized commands or access sensitive information, all under the guise of a legitimate user’s session.
The vulnerability existed in versions of Apache Superset before 3.0.3 paints a target on the backs of numerous data-driven enterprises relying on the platform for their analytical endeavors.
In response, the Apache Software Foundation and the Superset addressed and patched this flaw in version 3.0.3. For 2.x versions, users should change their config to includes
TALISMAN_CONFIG = {
"content_security_policy": {
"base-uri": ["'self'"],
"default-src": ["'self'"],
"img-src": ["'self'", "blob:", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'",
" https://api.mapbox.com" https://api.mapbox.com" ;,
" https://events.mapbox.com" https://events.mapbox.com" ;,
],
"object-src": "'none'",
"style-src": [
"'self'",
"'unsafe-inline'",
],
"script-src": ["'self'", "'strict-dynamic'"],
},
"content_security_policy_nonce_in": ["script-src"],
"force_https": False,
"session_cookie_secure": False,
}
