[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title
From:       Christian Fischer <christian.fischer () greenbone ! net>
Date:       2024-01-23 15:45:39
Message-ID: 6ef7a3c6-f9df-4b05-ab99-6f4b8aea4ac8 () greenbone ! net
[Download RAW message or body]

Hi,

On 23.01.24 14:18, Daniel Gaspar wrote:
> Affected versions:
> 
> - Apache Superset through 3.0.3
> 
> *snip*
> 
> in Apache Superset before 3.0.3

it seems there is some inconsistency in the affected / fixed versions 
mentioned here, in [1] as well as in the following part of the CVE entry 
[2]:

 > affected from 0 through 3.0.3

While [3] doesn't list this CVE yet it seems 3.0.3 is the actual fixed 
version as [4] mentions a relevant entry around an XSS in a "Dashboard":

 > #21822 fix(dashboard): Prevent XSS attack vector (@agl-developer)

which links to [5] as the relevant PR.

[1] https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx
[2] https://www.cve.org/CVERecord?id=CVE-2023-49657
[3] https://superset.apache.org/docs/security/cves/
[4] 
https://github.com/apache/superset/blob/3.0.3/CHANGELOG.md#303-tue-jan-9-164807-2023--0300
[5] https://github.com/apache/superset/pull/21822

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone AG, Neumarkt 12, 49074 Osnabrück, Germany
https://www.greenbone.net/
Company registry: Amtsgericht Osnabrück, HRB 218768
Board of directors: Dr. Jan-Oliver Wagner (CEO), Elmar Geese
Chairman of the Supervisory Board: Lukas Grunwald
[prev in list] [next in list] [prev in thread] [next in thread]