CVE-2021-28125
Open Redirect in Apache Superset
6.1
MEDIUM
CVSS 3.1
EPSS 2.6%
Description
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
How to fix CVE-2021-28125
To remediate CVE-2021-28125, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.2 or later
- —upgrade to 1.1.0 or later
- —upgrade to 1.1.0 or later
- —no fix listed
Is CVE-2021-28125 being exploited?
Low — EPSS is 2.6%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.0.2
- from 0, < 1.1.0
- from 0, < 1.1.0
- from 0, <= 0.34.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |