CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 6CVE-2024-21485
https://notcve.org/view.php?id=CVE-2024-21485
02 Feb 2024 — Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user... • https://github.com/plotly/dash/commit/9920073c9a8619ae8f90fcec1924f2f3a4332a8c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2009-0854
https://notcve.org/view.php?id=CVE-2009-0854
11 Mar 2009 — Untrusted search path vulnerability in dash 0.5.4, when used as a login shell, allows local users to execute arbitrary code via a Trojan horse .profile file in the current working directory. Vulnerabilidad de ruta de búsqueda no confiable en dash v0.5.4, cuando es usada como un interprete de comandos para hacer login, permite a usuarios locales ejecutar código de su elección a través de un archivo troyanizado .profile en el directorio actual de trabajo. • http://secunia.com/advisories/34205 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •