TROYANOSYVIRUS
Retour aux CVEs

CVE-2025-64758

MEDIUM
4.8

Description

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

Details CVE

Score CVSS v3.14.8
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisHIGH
Interaction utilisateurREQUIRED
Publie11/17/2025
Derniere modification11/18/2025
Sourcenvd
Observations honeypot0

Faiblesses (CWE)

CWE-79

References

https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/1378(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/986(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.