CVE-2021-27907: Cross-site Scripting

March 5, 2021 (updated November 7, 2023)

Apache Superset allowed the creation of a Markdown component on a Dashboard page for describing chart’s related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user’s browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a div section and embedding in it a svg element with javascript code.

References

nvd.nist.gov/vuln/detail/CVE-2021-27907

Detect and mitigate CVE-2021-27907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →