@dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message_CVE-2025-64758

4.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Description

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

Basic Information

ID CVE-2025-64758

Source GitHub_M

Published Nov 17, 2025 at 17:24

Modified Nov 17, 2025 at 21:05

Affected Product

Vendor DependencyTrack

Product frontend

Version >= 4.12.0, < 4.13.6

Affected Versions DependencyTrack frontend >= 4.12.0, < 4.13.6

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a \"welcome message\", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.",
    "published": "2025-11-17T17:24:27.491Z",
    "modified": "2025-11-17T21:05:16.691Z",
    "type": "cve",
    "title": "@dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message",
    "source": "GitHub_M",
    "references": "https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5\nhttps://github.com/DependencyTrack/frontend/pull/1378\nhttps://github.com/DependencyTrack/frontend/pull/986\nhttps://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be",
    "id": "CVE-2025-64758",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "DependencyTrack frontend >= 4.12.0, < 4.13.6",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "frontend",
    "version": ">= 4.12.0, < 4.13.6",
    "vendor": "DependencyTrack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}