CVE-2021-32609: Apache Superset Cross-site Scripting (XSS) vulnerability on the Explore page
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.9334%
CWE
Published
5/24/2022
Updated
9/12/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
apache-superset | pip | >= 0, < 1.2.0 | 1.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of chart titles in two phases: 1) During rendering (frontend display), where the title is injected into the DOM without proper escaping, and 2) During storage (backend persistence), where malicious titles aren't sanitized before being saved. The high-confidence entry points to the template rendering logic (common XSS pattern in web frameworks), while the medium-confidence entry addresses the persistence layer based on the vulnerability's description of saving malicious titles. Without commit diffs, these are inferred from typical MVC architecture patterns in web applications and the described attack vector.