CVE-2024-21485
Cross-site Scripting (XSS) vulnerability in dash-core-components (npm)
What is CVE-2024-21485 About?
This is a Cross-site Scripting (XSS) vulnerability affecting Dash applications when an attacker controls the `href` attribute of an `<a>` tag. An authenticated attacker can store a malicious view, leading to data theft or session hijacking for other users viewing it. Exploitation is medium-to-hard, requiring specific conditions and user interaction.
Affected Software
- dash-core-components
- <2.13.0
- <2.0.0
- dash-html-components
- <2.0.0
- <2.0.16
- dash
- <2.15.0
Technical Details
The vulnerability lies in insufficient sanitization within the dash-core-components, dash, and dash-html-components packages when rendering <a> tags where the href attribute can be controlled by an attacker. Specifically, if an application allows user input that is then used to populate the href attribute of an <a> tag, a malicious script can be injected. When another user views this stored input, the script will execute in their browser, enabling actions such as stealing data visible to the user, making additional requests on their behalf, or even stealing access tokens to impersonate the user. This is primarily exploitable in Dash apps that persist user input to be reloaded by others.
What is the Impact of CVE-2024-21485?
Successful exploitation may allow attackers to steal sensitive user data, perform actions on behalf of the user, or hijack user sessions, leading to unauthorized access and information disclosure.
What is the Exploitability of CVE-2024-21485?
Exploitation is of moderate complexity, as it requires an authenticated attacker to store a specially crafted input that is then viewed by another user. Authentication is required for the attacker to inject the payload. This is a local attack in the sense that the payload is executed in the victim's browser, but the injection point can be remote if the application is web-accessible. Privilege requirements are typically those of a standard authenticated user. Special conditions include the Dash app having a mechanism to store and display user input to other users. Risk factors that increase likelihood include inadequate input validation and output encoding in Dash applications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21485?
Available Upgrade Options
- dash-html-components
- <2.0.16 → Upgrade to 2.0.16
- dash
- <2.15.0 → Upgrade to 2.15.0
- dash-core-components
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336
- https://github.com/plotly/dash
- https://security.snyk.io/vuln/SNYK-JS-DASHHTMLCOMPONENTS-6226337
- https://security.snyk.io/vuln/SNYK-JS-DASHCORECOMPONENTS-6183084
- https://github.com/plotly/dash/releases/tag/v2.15.0
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334
- https://github.com/plotly/dash/pull/2732
- https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c
- https://github.com/plotly/dash/issues/2729
- https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336
What are Similar Vulnerabilities to CVE-2024-21485?
Similar Vulnerabilities: CVE-2023-44473 , CVE-2023-43644 , CVE-2023-38546 , CVE-2023-37905 , CVE-2023-36665
