Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2024-21485
HistoryFeb 02, 2024 - 5:15 a.m.

CVE-2024-21485

2024-02-0205:15:09
CWE-79
[email protected]
web.nvd.nist.gov
86
security
vulnerability
xss
dash-core-components
dash-html-components
data theft
access tokens

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N/E:P

0.001 Low

EPSS

Percentile

38.0%

JSON

Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that’s visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server.

Note:

This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.

Affected configurations

NVD
Node
plotlydashRange<2.13.0
OR
plotlydashRange2.14.02.15.0

CNA Affected

[
  {
    "product": "dash-core-components",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.13.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "dash-core-components",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.0.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "dash",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.15.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "dash-html-components",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.0.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "dash-html-components",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.0.16",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

Related

github 1
cvelist 1
osv 3
alpinelinux 1
prion 1
veracode 1
nvd 1
github
github
Dash apps vulnerable to Cross-site Scripting
2024-02-02 06:30:31
cvelist
cvelist
CVE-2024-21485
2024-02-02 05:00:01
osv
osv
PYSEC-2024-35
2024-02-02 05:15:00
Dash apps vulnerable to Cross-site Scripting
2024-02-02 06:30:31
CVE-2024-21485
2024-02-02 05:15:09
alpinelinux
alpinelinux
CVE-2024-21485
2024-02-02 05:15:09
prion
prion
Cross site scripting
2024-02-02 05:15:00
veracode
veracode
Cross-Site Scripting (XSS)
2024-02-05 08:36:49
nvd
nvd
CVE-2024-21485
2024-02-02 05:15:09

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N/E:P

0.001 Low

EPSS

Percentile

38.0%

JSON
Related for CVE-2024-21485
github1cvelist1osv3alpinelinux1prion1veracode1nvd1