PyPI: dash
CVE-2024-21485
Safety vulnerability ID: SFTY-20240202-24919
Safety legacy ID: pyup.io-65284
Earlier versions of Dash and its components are susceptible to an XSS vulnerability, specifically through the manipulation of the href attribute in a tags by an attacker. This flaw could potentially allow an authenticated attacker to access or manipulate user data and tokens, assuming the ability to store and present manipulated views to other users. The vulnerability notably requires the presence of user input storage mechanisms within Dash applications to be exploitable. Further details are covered under CVE-2024-21485. #Note: This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. See CVE-2024-21485.
Overview
Dash apps vulnerable to Cross-site Scripting
Advisory
Earlier versions of Dash and its components are susceptible to an XSS vulnerability, specifically through the manipulation of the href attribute in a tags by an attacker. This flaw could potentially allow an authenticated attacker to access or manipulate user data and tokens, assuming the ability to store and present manipulated views to other users. The vulnerability notably requires the presence of user input storage mechanisms within Dash applications to be exploitable. Further details are covered under CVE-2024-21485. #Note: This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. See CVE-2024-21485.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240202-24919/CVE-2024-21485
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21485
- https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c
- https://github.com/plotly/dash/issues/2729
- https://github.com/plotly/dash/pull/2732
- https://github.com/plotly/dash/releases/tag/v2.15.0
- https://security.snyk.io/vuln/SNYK-JS-DASHCORECOMPONENTS-6183084
- https://security.snyk.io/vuln/SNYK-JS-DASHHTMLCOMPONENTS-6226337
- https://security.snyk.io/vuln/SNYK-PYTHON-DASH-6226335
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336
- https://nvd.nist.gov/vuln/detail/CVE-2024-21485
- https://github.com/plotly/dash/issues/2729
- https://github.com/plotly/dash/pull/2732
- https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c
- https://github.com/plotly/dash/releases/tag/v2.15.0
- https://security.snyk.io/vuln/SNYK-JS-DASHCORECOMPONENTS-6183084
- https://security.snyk.io/vuln/SNYK-JS-DASHHTMLCOMPONENTS-6226337
- https://security.snyk.io/vuln/SNYK-PYTHON-DASH-6226335
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336
- https://github.com/pypa/advisory-database/tree/main/vulns/dash/PYSEC-2024-35.yaml
- https://github.com/advisories/GHSA-547x-748v-vp6p
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more