Vulnerabilities > Apache > Superset > 0.32.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-17 | CVE-2021-42250 | Improper Encoding or Escaping of Output vulnerability in Apache Superset Improper output neutralization for Logs. | 4.0 |
| 2021-11-12 | CVE-2021-41972 | Unspecified vulnerability in Apache Superset Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. | 4.0 |
| 2021-10-18 | CVE-2021-32609 | Cross-site Scripting vulnerability in Apache Superset Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. | 3.5 |
| 2021-10-18 | CVE-2021-41971 | SQL Injection vulnerability in Apache Superset Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL. | 6.0 |
| 2021-04-27 | CVE-2021-28125 | Open Redirect vulnerability in Apache Superset Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. | 6.1 |
| 2021-03-05 | CVE-2021-27907 | Cross-site Scripting vulnerability in Apache Superset Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. | 5.4 |
| 2020-09-30 | CVE-2020-13952 | Unspecified vulnerability in Apache Superset In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. | 5.5 |
| 2020-09-17 | CVE-2020-13948 | Unspecified vulnerability in Apache Superset While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. | 8.8 |