CVE-2023-49657: Apache Superset Hit by High-Risk Stored XSS Vulnerability

The maintainers of the Apache Superset open-source data visualization software have released fixes to fix a critical vulnerability that could lead to stored cross-site scripting attacks.

Dubbed CVE-2023-49657, this stored cross-site scripting (XSS) vulnerability has carved a chilling notch on the bedpost of cyber threats, with the Apache Software Foundation assigning it a near-perfect peril score of 9.6 on the Common Vulnerability Scoring System (CVSSv3.1). Classified as “Critical“—the zenith of severity in the four-tiered ranking system—this flaw casts a long shadow over the bright promise of Superset.

Dubbed CVE-2023-49657, this stored cross-site scripting (XSS) vulnerability has carved a chilling notch on the bedpost of cyber threats, with the Apache Software Foundation assigning it a near-perfect peril score of 9.6 on the Common Vulnerability Scoring System (CVSSv3.1). Classified as “Critical”—the zenith of severity in the four-tiered ranking system—this flaw could lead to code execution.

Stored XSS vulnerabilities are particularly insidious. Unlike their reflective counterparts, which require a user to click on a malicious link, stored XSS flaws embed themselves within the very fabric of the application, lying in wait to spring upon unsuspecting users. In the case of CVE-2023-49657, the vulnerability allows an authenticated attacker wielding create or update permissions on charts or dashboards to inject malicious scripts or specific HTML snippets. This attack vector could then execute unauthorized commands or access sensitive information, all under the guise of a legitimate user’s session.

The vulnerability’s existence in versions of Apache Superset before 3.0.3 paints a target on the backs of numerous data-driven enterprises relying on the platform for their analytical endeavors.

In response, the Apache Software Foundation and the Superset addressed and patched this flaw in version 3.0.3. For 2.x versions, users should change their config to include:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": ["'self'", "blob:", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            " https://api.mapbox.com" https://api.mapbox.com" ;,
            " https://events.mapbox.com" https://events.mapbox.com" ;,
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}