CVSS 3.1 Score 5.4 of 10 (medium)


Published Feb 2, 2024
Updated: Mar 6, 2024


CVE-2024-21485 is a vulnerability that affects versions of the package dash-core-components before 2.13.0, versions of the package dash before 2.15.0, and versions of the package dash-html-components before 2.0.16. This vulnerability allows for Cross-site Scripting (XSS) attacks when an adversary controls the href attribute of an "a" tag. An authenticated attacker who exploits this vulnerability can steal data visible to another user who opens a compromised view, potentially including additional requests and access to other data accessible to the user. In some cases, the attacker could also steal access tokens, allowing them to act as that user and view other apps and resources on the same server. This vulnerability only affects Dash apps that include a mechanism to store user input for reloading by a different user.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-21485 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options