TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2025-64758

MEDIUM
4.8

Beschreibung

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

CVE Details

CVSS v3.1 Bewertung4.8
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienHIGH
BenutzerinteraktionREQUIRED
Veroffentlicht11/17/2025
Zuletzt geandert11/18/2025
Quellenvd
Honeypot-Sichtungen0

Schwachen (CWE)

CWE-79

Referenzen

https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/1378(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/986(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.