CVE-2022-43718

MEDIUM5.4EPSS 0.50%

Apache Superset is vulnerable to Cross-Site Scripting (XSS)

Published: 1/16/2023Modified: 4/7/2025

Also known as:GHSA-79x5-cv79-49rjBIT-superset-2022-43718

Description

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected packages (2)

Bitnami/supersetfrom 0, < 1.5.3, >= 2.0.0, < 2.0.1
PyPI/apache-supersetfrom 0, <= 1.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-43718
PATCHhttps://github.com/apache/superset
WEBhttps://lists.apache.org/thread/8615608jt2x7b3rmqrtngldy8pn3nz2r