CVE-2024-21485: 
JavaScript vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in multiple Dash components (CVE-2024-21485), affecting versions of dash-core-components before 2.13.0, dash before 2.15.0, and dash-html-components before 2.0.16. The vulnerability was discovered in January 2024 and patched in version 2.15.0 released on January 31, 2024. The vulnerability exists when the href attribute of anchor tags and other HTML elements can be controlled by an adversary (Snyk Advisory, GitHub Issue).

The vulnerability occurs in several HTML components where user-controlled input in attributes like href, src, data, and formAction is not properly sanitized. This affects multiple components including dcc.Link, html.A, html.Iframe, html.ObjectEl, html.Embed, and html.Form. The CVSS v3.1 scores vary between assessments, with NVD rating it at 5.4 (Medium) and Snyk rating it at 6.5 (Medium). The vulnerability requires an authenticated user and user interaction to be exploited (NVD, Snyk Advisory).

An authenticated attacker who stores a view exploiting this vulnerability could potentially steal data visible to other users who open that view. The impact extends beyond just the visible data - attackers could make additional requests to access other data accessible to the victim user. In some cases, they could steal access tokens, allowing them to impersonate the user and access other apps and resources hosted on the same server. This vulnerability is specifically exploitable in Dash apps that include mechanisms to store user input for reloading by different users (Snyk Advisory).

The vulnerability has been patched in dash v2.15.0, dash-core-components v2.13.0, and dash-html-components v2.0.16. The fix includes implementing URL sanitization for potentially dangerous attributes and adding error reporting functionality through a new _dash_error property. Users should upgrade to these versions or later to protect against this vulnerability (GitHub PR, GitHub Release).