Vulnerability Description
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Superset | <= 0.38.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9Mailing ListVendor Advisory
FAQ
What is CVE-2021-27907?
CVE-2021-27907 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user cou...
How severe is CVE-2021-27907?
CVE-2021-27907 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-27907?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.