TROYANOSYVIRUS
Back to CVEs

CVE-2025-64758

MEDIUM
4.8

Description

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

CVE Details

CVSS v3.1 Score4.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionREQUIRED
Published11/17/2025
Last Modified11/18/2025
Sourcenvd
Honeypot Sightings0

Weaknesses (CWE)

CWE-79

References

https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/1378(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/986(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5(security-advisories@github.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.