CVE-2022-43718

MEDIUM5.4EPSS 0.50%

Apache Superset: Cross-Site Scripting vulnerability on upload forms

Published: 1/16/2023Modified: 11/6/2025

Description

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected packages (2)

Bitnami/supersetfrom 0, < 1.5.3, >= 2.0.0, < 2.0.1
PyPI/apache-supersetfrom 0, <= 1.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-43718
PATCHhttps://github.com/apache/superset
WEBhttps://lists.apache.org/thread/8615608jt2x7b3rmqrtngldy8pn3nz2r