CVE-2022-43717

MEDIUM5.4EPSS 1.5%

Apache Superset: Cross-Site Scripting on dashboards

Published: 1/16/2023Modified: 11/6/2025

Description

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected packages (2)

Bitnami/supersetfrom 0, < 1.5.3, >= 2.0.0, < 2.0.1
PyPI/apache-supersetfrom 0, <= 1.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-43717
PATCHhttps://github.com/apache/superset
WEBhttps://lists.apache.org/thread/g6zy6vkpvkbj5mj32vmyzwol5ldtg9pl