CVE-2022-43720

Published: Jan 16, 2023Modified: Apr 7, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected (4)

Products: Apache: Superset

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Apache Superset	Up to 1.5.2
Apache Superset	Version 2.0.0
Apache Superset	Version 2.0.0 rc1
Apache Superset	Version 2.0.0 rc2

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (2)

https://lists.apache.org/thread/jts6x56kghr9mbowb653bk70pl81jp8l

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.apache.org/thread/jts6x56kghr9mbowb653bk70pl81jp8l

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.