CVE-2024-21485 Scanner
CVE-2024-21485 Scanner - Cross-Site Scripting vulnerability in Dash Framework
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days 3 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Dash Framework is an open-source Python-based framework developed by Plotly that is widely used for building interactive web applications and dashboards. It is especially popular in data science, analytics, and machine learning domains for visualizing data through web interfaces. Organizations use Dash to build internal dashboards, client-facing analytics platforms, and data monitoring tools. Its component-based architecture allows seamless integration of user inputs and visual components. The frontend relies heavily on dynamic rendering and user interaction. Due to its reliance on user-controlled components, security vulnerabilities in rendering logic can have significant consequences.
This vulnerability affects versions of Dash Framework before 2.15.0 and allows cross-site scripting (XSS) through improperly sanitized input in the `href` attribute of anchor tags. Attackers can inject JavaScript payloads such as `javascript:alert(document.domain)` which are rendered and executed in the browser context of users. The flaw is exploitable when user input is passed directly to the frontend component props without proper sanitization or encoding. Because Dash applications often process dynamic input from users, a malicious actor can exploit this to compromise user sessions. This makes it possible to exfiltrate sensitive data or impersonate legitimate users. The issue is patched in version 2.15.0.
The technical details involve a crafted POST request to the `_dash-update-component` endpoint with a payload targeting the `link-input` component. The payload contains a JavaScript URI, which, if rendered without sanitization, leads to the execution of arbitrary scripts. The scan confirms the vulnerability by checking if the injected script appears in the response body as part of a valid JSON structure and if the content type is `application/json`. A 200 OK status indicates the component accepted and processed the malicious input. If all matchers succeed, the presence of the XSS vulnerability is confirmed. This showcases a lack of input validation on component properties.
Exploitation of this vulnerability can lead to theft of access tokens, user credentials, or session hijacking by delivering malicious links or exploiting reflected XSS in views. If sensitive operations or data visualizations are exposed to external users, this flaw could also lead to broader application compromise. In multi-user dashboards, the impact can spread across roles and data contexts. Attackers can use social engineering to trick users into clicking vulnerable components. It also opens up the possibility of bypassing content security policies if the application is not strictly configured. Immediate patching and input validation are necessary to mitigate this risk.
REFERENCES