Apache Superset: Improper rendering of user input

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0 [1].

To exploit this vulnerability, an attacker must have a valid account with CSS template write permissions. The attacker then creates a CSS template record containing malicious HTML tags. When a user (potentially a different user with higher privileges) deletes that record, the unsanitized HTML is rendered in the toast notification, enabling the stored cross-site scripting (XSS) attack [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, data exfiltration, or other actions performed on behalf of the authenticated victim within Apache Superset [1].

Apache Superset released a fix in subsequent versions; users are advised to upgrade to a patched version. No workarounds have been publicly documented, and the software is actively maintained [2].