CVE-2024-21485

Name of the Vulnerable Software and Affected Versions dash-core-components versions prior to 2.13.0 dash versions prior to 2.15.0 dash-html-components versions prior to 2.0.16

Description The issue allows an authenticated attacker to steal data visible to another user who opens a view that exploits this vulnerability. The attacker could also make additional requests and access other data accessible to this user. In some cases, they could steal the access tokens of that user, allowing the attacker to act as that user, including viewing other apps and resources hosted on the same server. This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.

Recommendations For dash-core-components versions prior to 2.13.0, update to version 2.13.0 or later. For dash versions prior to 2.15.0, update to version 2.15.0 or later. For dash-html-components versions prior to 2.0.16, update to version 2.0.16 or later. As a temporary workaround, consider restricting the use of the href attribute in the a tag to minimize the risk of exploitation.