Added CVE-2024-21485 Template

[eeche]

Template / PR Information

• Author: Lee Changhyun
• Added CVE-2024-21485
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2024-21485

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Dash framework versions before 2.15.0 are vulnerable to Cross-site Scripting (XSS)
via href attribute in anchor tags. This template tests for javascript:alert payload injection.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[DhiyaneshGeek]

Hi @eeche

Thanks for sharing the template with the community and contributing to the template project

i have made some minor changes to the template, let me know if it works well at your end

Thanks

[eeche]

Hi @DhiyaneshGeek

Thanks for the update! The changes look good.

However, Dash does not use /update for POST requests by default.

I modified it to use the Dash callback route instead, and now everything works as expected.

Thanks

[DhiyaneshGeek]

Hi @eeche

can you share a setup instructions to set-up a vulnerable environment and test this vulnerability ?

Looking forward to hear back from you

Thanks

[eeche]

Hi @DhiyaneshGeek

You can set up a vulnerable environment using the following Dash application code

Thanks

from dash import Dash, html, dcc, Input, Output

app = Dash(__name__)

# Layout containing a vulnerable link
app.layout = html.Div([
    html.H1("Vulnerable Dash Application"),
    
    # Text field for user input
    dcc.Input(
        id='link-input',
        type='text',
        placeholder='Enter a link'
    ),
    
    # Area to display the entered link
    html.Div(id='link-output'),
    
    # Simulated stored data
    html.Div([
        html.H3("Sensitive User Data"),
        html.P("Cookie: " + "sensitive_cookie_value"),
        html.P("Token: " + "user_access_token_123")
    ])
])

# Callback: Process the entered link
@app.callback(
    Output('link-output', 'children'),
    Input('link-input', 'value')
)
def update_link(value):
    if value is None:
        return ''
    # Vulnerable part: Using user input directly in href
    return html.A('Click here', href=value)

if __name__ == '__main__':
    app.run_server(debug=True)

[DhiyaneshGeek]

Hi @eeche

Thanks for sharing the details 😄

[eeche]

Hi @DhiyaneshGeek

how is it going?

[DhiyaneshGeek]

Hi @eeche

the second request response body content_type -> application/json

the XSS didn't get triggered at our end

are you able to trigger XSS ?

Looking forward to hear back from you

Thanks

[eeche]

Hi @eeche

the second request response body content_type -> application/json

the XSS didn't get triggered at our end

are you able to trigger XSS ?

Looking forward to hear back from you

Thanks

Hi @DhiyaneshGeek

I think it works well

[DhiyaneshGeek]

Hi @eeche

are you able to see this XSS triggered at browser level ?

also this exploit works on the custom code that is provided by you.

Let me know if i'm wrong

Thanks

[eeche]

Hi @DhiyaneshGeek

it works well in my browser level

and i'm using exact same code that i provided.

check the dash version if it is lower than 2.15. my version is 2.14.1.

Thank you