[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title
From: Christian Fischer <christian.fischer () greenbone ! net>
Date: 2024-01-23 15:45:39
Message-ID: 6ef7a3c6-f9df-4b05-ab99-6f4b8aea4ac8 () greenbone ! net
[Download RAW message or body]
Hi,
On 23.01.24 14:18, Daniel Gaspar wrote:
> Affected versions:
>
> - Apache Superset through 3.0.3
>
> *snip*
>
> in Apache Superset before 3.0.3
it seems there is some inconsistency in the affected / fixed versions
mentioned here, in [1] as well as in the following part of the CVE entry
[2]:
> affected from 0 through 3.0.3
While [3] doesn't list this CVE yet it seems 3.0.3 is the actual fixed
version as [4] mentions a relevant entry around an XSS in a "Dashboard":
> #21822 fix(dashboard): Prevent XSS attack vector (@agl-developer)
which links to [5] as the relevant PR.
[1] https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx
[2] https://www.cve.org/CVERecord?id=CVE-2023-49657
[3] https://superset.apache.org/docs/security/cves/
[4]
https://github.com/apache/superset/blob/3.0.3/CHANGELOG.md#303-tue-jan-9-164807-2023--0300
[5] https://github.com/apache/superset/pull/21822
Regards,
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone AG, Neumarkt 12, 49074 Osnabrück, Germany
https://www.greenbone.net/
Company registry: Amtsgericht Osnabrück, HRB 218768
Board of directors: Dr. Jan-Oliver Wagner (CEO), Elmar Geese
Chairman of the Supervisory Board: Lukas Grunwald
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic