[GHSA-547x-748v-vp6p] Dash apps vulnerable to Cross-site Scripting

[graingert]

Updates

• Affected products
• Description

Comments
on pip dash-core-components v2 and dash-html-components v2 are just placeholder packages that import the code from the core dash package so are not vulnerable

[JonathanLEvans]

Hi @graingert, thank you for your contribution. Unfortunately, we are unable to update the description of the CVE record because the ID was issued by Snyk. To get it updated, you need to contact Snyk via report@snyk.io.

[graingert]

@JonathanLEvans can you update just the version range of the Affected products?

[alexcjohnson]

Thanks @graingert - I'll write to Snyk about this

[alexcjohnson]

Snyk has updated their reports to exclude the PyPI v2.0.0 of dash-html-components and dash-core-components
https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336
https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334
(Actually they updated them right away on Monday, I just didn't check back until today)
I still see <=2.0.0 for these on GHSA-547x-748v-vp6p - anything else we need to do to get this updated?

[advisory-database]

Hi @graingert! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!