SCA: security update for apache-superset (GHSA-rwhh-6x83-84v6)

medium Tenable Cloud Security Plugin ID 418968

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated
attacker with create/update permissions on charts or dashboards could store a script or add a specific
HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to
include: TALISMAN_CONFIG = { "content_security_policy": { "base-uri": ["'self'"], "default-src":
["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": [
"'self'", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com"
https://events.mapbox.com" ;, ], "object-src": "'none'", "style-src": [ "'self'", "'unsafe-inline'", ],
"script-src": ["'self'", "'strict-dynamic'"], }, "content_security_policy_nonce_in": ["script-src"],
"force_https": False, "session_cookie_secure": False, } (CVE-2023-49657)

See Also

https://github.com/advisories/GHSA-rwhh-6x83-84v6

Plugin Details

Severity: Medium

ID: 418968

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-49657

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/23/2024

Vulnerability Publication Date: 1/23/2024

Reference Information

CVE: CVE-2023-49657

cwe: CWE-79