CVE-2021-27907: Cross-site Scripting
(updated )
Apache Superset allowed the creation of a Markdown component on a Dashboard page for describing chart’s related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user’s browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a div
section and embedding in it a svg
element with javascript code.
References
Detect and mitigate CVE-2021-27907 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →