TROYANOSYVIRUS
Voltar para CVEs

CVE-2025-64758

MEDIUM
4.8

Descricao

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

Detalhes CVE

Pontuacao CVSS v3.14.8
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosHIGH
Interacao do usuarioREQUIRED
Publicado11/17/2025
Ultima modificacao11/18/2025
Fontenvd
Avistamentos honeypot0

Fraquezas (CWE)

CWE-79

Referencias

https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/1378(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/pull/986(security-advisories@github.com)
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.