Apache Superset Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2023-49657)

Qualys Security Advisory

Apache Superset, an open-source data visualization software, is vulnerable to a flaw that could allow an attacker to perform stored cross-site scripting attacks. Tracked as CVE-2023-49657, the vulnerability has a critical severity with a CVSS score of 9.6. An attacker must be authenticated and have create/update permissions on charts or dashboards to exploit the vulnerability. An attacker could store a script or add a specific HTML snippet to execute a stored XSS on successful exploitation.

Nick Barnes of Praetorian Security Inc. and Amit Laish of GE Vernova have reported the vulnerability.

Apache Superset is a modern, enterprise-ready business intelligence web application. It is fast, lightweight, intuitive, and loaded with options that make it easy for users of all skill sets to explore and visualize their data, from simple pie charts to highly detailed deck.gl geospatial charts.

Affected Versions

The vulnerability affects Apache Superset versions before 3.0.3.

Mitigation

Customers must upgrade to Apache Superset version 3.0.3 or later to patch the vulnerability.

Apache recommends users with 2.X versions to change their config to include:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": ["'self'", "blob:", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            " https://api.mapbox.com" https://api.mapbox.com" ;,
            " https://events.mapbox.com" https://events.mapbox.com" ;,
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}

Please refer to the Apache Security Advisory for more information.

Qualys Detection

Qualys customers can scan their devices with QID 731108 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx

READ MORE