CVE-2023-49657

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.<br /> <br /> For 2.X versions, users should change their config to include:<br /> <br /> TALISMAN_CONFIG = {<br />     "content_security_policy": {<br />         "base-uri": ["&amp;#39;self&amp;#39;"],<br />         "default-src": ["&amp;#39;self&amp;#39;"],<br />         "img-src": ["&amp;#39;self&amp;#39;", "blob:", "data:"],<br />         "worker-src": ["&amp;#39;self&amp;#39;", "blob:"],<br />         "connect-src": [<br />             "&amp;#39;self&amp;#39;",<br />             " https://api.mapbox.com" https://api.mapbox.com" ;,<br />             " https://events.mapbox.com" https://events.mapbox.com" ;,<br />         ],<br />         "object-src": "&amp;#39;none&amp;#39;",<br />         "style-src": [<br />             "&amp;#39;self&amp;#39;",<br />             "&amp;#39;unsafe-inline&amp;#39;",<br />         ],<br />         "script-src": ["&amp;#39;self&amp;#39;", "&amp;#39;strict-dynamic&amp;#39;"],<br />     },<br />     "content_security_policy_nonce_in": ["script-src"],<br />     "force_https": False,<br />     "session_cookie_secure": False,<br /> }<br /> <br />