CVE-2025-64758
MEDIUM4.8EPSS 0.03%@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
描述
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. ### Impact Users with the `SYSTEM_CONFIGURATION` permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. ### Patches The issue has been fixed in version 4.13.6. ### References * The issue was introduced via: https://github.com/DependencyTrack/frontend/pull/986 * The issue was fixed via: https://github.com/DependencyTrack/frontend/pull/1378 ### Credit Thanks to *Jonas Benjamin Friedli* for identifying and responsibly disclosing the issue.
受影響套件(1)
- npm/@dependencytrack/frontend>= 4.12.0, < 4.13.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-64758
- PATCHhttps://github.com/DependencyTrack/frontend
- WEBhttps://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be
- WEBhttps://github.com/DependencyTrack/frontend/pull/1378
- WEBhttps://github.com/DependencyTrack/frontend/pull/986
- WEBhttps://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5