search

KOSASIH / pycaret

An open-source, low-code machine learning library in Python
https://www.pycaret.org
MIT License
2 stars 0 forks source link

dash-2.11.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.4) - autoclosed #12

Closed mend-bolt-for-github[bot] closed 6 months ago

mend-bolt-for-github[bot] commented 7 months ago
Vulnerable Library - dash-2.11.1-py3-none-any.whl

A Python framework for building reactive web-apps. Developed by Plotly.

Library home page: https://files.pythonhosted.org/packages/35/b8/28850cc6bedd9c39ac05e520596d102ec1139635caabf9d33d9c928c9938/dash-2.11.1-py3-none-any.whl

Path to dependency file: /tests/test_time_series

Path to vulnerable library: /tests/test_time_series,/tmp/ws-scm/pycaret,/requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (dash version) Remediation Possible**
CVE-2024-21485 Medium 5.4 dash-2.11.1-py3-none-any.whl Direct 2.15.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21485 ### Vulnerable Library - dash-2.11.1-py3-none-any.whl

A Python framework for building reactive web-apps. Developed by Plotly.

Library home page: https://files.pythonhosted.org/packages/35/b8/28850cc6bedd9c39ac05e520596d102ec1139635caabf9d33d9c928c9938/dash-2.11.1-py3-none-any.whl

Path to dependency file: /tests/test_time_series

Path to vulnerable library: /tests/test_time_series,/tmp/ws-scm/pycaret,/requirements.txt

Dependency Hierarchy: - :x: **dash-2.11.1-py3-none-any.whl** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. **Note:** This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.

Publish Date: 2024-02-02

URL: CVE-2024-21485

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-547x-748v-vp6p

Release Date: 2024-02-02

Fix Resolution: 2.15.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 6 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #20