CVE-2024-21485

Exploit

EPSS 1.48%
Veröffentlicht 02.02.2024 05:15:09
Zuletzt bearbeitet 15.05.2025 20:15:42
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server.

**Note:**

This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 12

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Plotly ≫ Dash Version < 2.13.0

Plotly ≫ Dash Version >= 2.14.0 < 2.15.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.48%	0.704

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
report@snyk.io	6.5	1.3	4.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c

Patch

https://github.com/plotly/dash/issues/2729

Exploit

Issue Tracking

https://github.com/plotly/dash/pull/2732

Patch

Issue Tracking

https://github.com/plotly/dash/releases/tag/v2.15.0

Release Notes

https://security.snyk.io/vuln/SNYK-JS-DASHCORECOMPONENTS-6183084

Third Party Advisory

Exploit

https://security.snyk.io/vuln/SNYK-JS-DASHHTMLCOMPONENTS-6226337

Third Party Advisory

Exploit

https://security.snyk.io/vuln/SNYK-PYTHON-DASH-6226335

Third Party Advisory

Exploit

https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334

Third Party Advisory

Exploit

https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-21485

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21485

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21485

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-21485