CVE-2021-27907

moderate-risk
Published 2021-03-05

Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.

Do I need to act?

~
4.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Apache

References (4)

Mailing List https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9...
Mailing List https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9...
Mailing List https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9...
Mailing List https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9...
34
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 8/34 · Low
Exposure 5/34 · Minimal