Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NDd4LTc0OHYtdnA2cM4AA5A9
Dash apps vulnerable to Cross-site Scripting
Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server.
Note:
This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.
Permalink: https://github.com/advisories/GHSA-547x-748v-vp6pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NDd4LTc0OHYtdnA2cM4AA5A9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: about 2 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Identifiers: GHSA-547x-748v-vp6p, CVE-2024-21485
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21485
- https://github.com/plotly/dash/issues/2729
- https://github.com/plotly/dash/pull/2732
- https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c
- https://github.com/plotly/dash/releases/tag/v2.15.0
- https://security.snyk.io/vuln/SNYK-JS-DASHCORECOMPONENTS-6183084
- https://security.snyk.io/vuln/SNYK-JS-DASHHTMLCOMPONENTS-6226337
- https://security.snyk.io/vuln/SNYK-PYTHON-DASH-6226335
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336
- https://github.com/pypa/advisory-database/tree/main/vulns/dash/PYSEC-2024-35.yaml
- https://github.com/advisories/GHSA-547x-748v-vp6p
Blast Radius: 32.3
Affected Packages
pypi:dash-core-components
Dependent packages: 42Dependent repositories: 8,232
Downloads: 1,320,871 last month
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.3, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.26.0, 0.27.1, 0.27.2, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.29.0, 0.30.0, 0.30.1, 0.30.2, 0.31.0, 0.32.0, 0.33.0, 0.33.1, 0.34.0, 0.35.0, 0.35.1, 0.35.2, 0.36.0, 0.36.1, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 0.39.0, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.40.4, 0.40.5, 0.41.0, 0.42.0, 0.42.1, 0.43.0, 0.43.1, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.1
All unaffected versions: 2.0.0
pypi:dash-html-components
Dependent packages: 47Dependent repositories: 8,235
Downloads: 2,447,408 last month
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.15.0, 0.16.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 2.0.0
npm:dash-html-components
Dependent packages: 1Dependent repositories: 1
Downloads: 15,746 last month
Affected Version Ranges: < 2.0.16
Fixed in: 2.0.16
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.1, 0.3.2, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.15.0, 0.16.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15
All unaffected versions: 2.0.16, 2.0.17
pypi:dash
Dependent packages: 294Dependent repositories: 11,467
Downloads: 2,831,703 last month
Affected Version Ranges: < 2.15.0
Fixed in: 2.15.0
All affected versions: 0.0.0, 0.17.4, 0.17.5, 0.17.7, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.19.0, 0.20.0, 0.21.0, 0.21.1, 0.22.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.25.0, 0.25.1, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.27.0, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.28.5, 0.28.6, 0.28.7, 0.29.0, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.32.2, 0.34.0, 0.35.0, 0.35.1, 0.35.2, 0.35.3, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.20.0, 1.21.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.14.1, 2.14.2
All unaffected versions: 2.15.0, 2.16.0, 2.16.1
npm:dash-core-components
Dependent packages: 1Dependent repositories: 8
Downloads: 83,796 last month
Affected Version Ranges: < 2.13.0
Fixed in: 2.13.0
All affected versions: 0.0.4, 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.2.0, 0.2.1, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.29.0, 0.30.0, 0.30.1, 0.30.2, 0.31.0, 0.32.0, 0.33.0, 0.33.1, 0.34.0, 0.35.0, 0.35.1, 0.35.2, 0.36.0, 0.36.1, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 0.39.0, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.40.4, 0.40.5, 0.41.0, 0.42.0, 0.42.1, 0.43.0, 0.43.1, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.11.0, 2.11.1, 2.12.0, 2.12.1
All unaffected versions: 2.13.0, 2.13.1