CVE-2023-49657: 
Wolfi vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability (CVE-2023-49657) was discovered in Apache Superset versions before 3.0.3. The vulnerability was disclosed on January 23, 2024, affecting the Apache Superset open-source data visualization software. This critical security flaw allows authenticated attackers with create/update permissions on charts or dashboards to inject malicious scripts or specific HTML snippets that act as stored XSS (NVD, Security Online).

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) by the Apache Software Foundation, while NIST assigned a score of 5.4 (Medium). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N) according to the Apache Software Foundation's assessment (NVD).

This stored XSS vulnerability is particularly dangerous as it embeds malicious code within the application itself, potentially allowing attackers to execute unauthorized commands and access sensitive information under the guise of legitimate user sessions. The critical severity rating indicates the potential for significant impact on system security (Security Online).

The Apache Software Foundation has released version 3.0.3 to address this vulnerability. For users running 2.X versions, a specific TALISMAN_CONFIG configuration has been provided that includes content security policy settings to mitigate the vulnerability. The configuration includes various security directives such as base-uri, default-src, img-src, and other content security policy parameters (NVD, Security Online).