CVE-2022-27479 Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests

There have been reports that 1.4.2 is vulnerable to a cross-site scripting (XSS) vulnerability in the ‘add or edit’ page. Users are encouraged to update to 1.4.3 or higher. There have also been reports of 1.4.2 being vulnerable to user session hijacking in the ‘create’ page. Users are encouraged to update to 1.4.3 or higher. A remote code execution vulnerability has been reported in 1.4.2. Users are encouraged to update to 1.4.3 or higher. A critical XSS vulnerability has also been reported in 1.4.2. Users are encouraged to update to 1.4.3 or higher. An XSS vulnerability has been reported in 1.4.2. Users are encouraged to update to 1.4.3 or higher. There have been reports that 1.4.2 is vulnerable to an information disclosure vulnerability in the ‘add or edit’ page. Users are encouraged to update to 1.4.3 or higher. An information disclosure vulnerability has been reported in 1.4.2. Users are encouraged to update to 1.4.3 or higher. There have been reports that 1.4.2 is vulnerable to an XSS vulnerability in the ‘chart type’ field. Users are encouraged to update to 1.4.3 or higher. A critical XSS vulnerability has been reported in 1.4.

3.3.3 and 4.2.2 are also vulnerable to a cross-site scripting vulnerability in the ‘add or edit’ page

3.3.3 and 4.2.2 are also vulnerable to a cross-site scripting vulnerability in the ‘add or edit’ page, please update to 3.3.4 or higher to fix this issue.
A remote code execution vulnerability has been reported in 3.3.3 and 4.2.2, please update to 3.4 or higher to fix this issue

1.4.3 and higher

A critical XSS vulnerability has been reported in 1.4.2. Users are encouraged to update to 1.4.3 or higher. A remote code execution vulnerability has been reported in 1.4.2. Users are encouraged to update to 1.4.3 or higher. There have also been reports of 1.4.2 being vulnerable to user session hijacking in the ‘create’ page, and a cross-site scripting (XSS) vulnerability in the ‘add or edit’ page that was fixed by updating to 1.4.3 or higher as well as fixing user session hijacking issue reported with 1.4.2

Timeline

Published on: 04/13/2022 19:15:00 UTC
Last modified on: 04/21/2022 02:42:00 UTC

References