TROYANOSYVIRUS
Volver a CVEs

CVE-2025-64758

MEDIUM
4.8

Descripcion

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

Detalles CVE

Puntuacion CVSS v3.14.8
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioREQUIRED
Publicado11/17/2025
Ultima modificacion11/18/2025
Fuentenvd
Avistamientos honeypot0

Debilidades (CWE)

CWE-79

Referencias

https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/1378(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/986(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.