CVE-2022-43720: 
Python vulnerability analysis and mitigation

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This vulnerability affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. The vulnerability was disclosed on January 16, 2023, and has been assigned a CVSS v3.1 base score of 5.4 (Medium) (NVD).

The vulnerability is classified as an improper neutralization of special elements in output used by a downstream component (CWE-74). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, and can result in low confidentiality and integrity impacts (NVD).

The vulnerability allows an authenticated attacker with appropriate permissions to perform HTML injection through CSS template records, potentially leading to cross-site scripting (XSS) attacks when other users interact with the affected toast messages. This could result in unauthorized access to user data or execution of malicious scripts in the context of other users' sessions (Security Online).

The vulnerability has been patched in Apache Superset versions 1.5.3 and 2.0.1. Users are advised to upgrade to these or later versions to address the security issue (Security Online).