logo

Database

Server side cross-site scripting In @dependencytrack/frontend

Description

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message

Description

Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes.

When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed.

Impact

Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page.

Patches

The issue has been fixed in version 4.13.6.

References

Credit

Thanks to Jonas Benjamin Friedli for identifying and responsibly disclosing the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-647582. NVD-2025-647583. OSV-2025-647584. GHSA-7xvh-c266-cfr55. GCVE-2025-64758

References

1. https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr52. https://github.com/DependencyTrack/frontend/pull/13783. https://github.com/DependencyTrack/frontend/pull/9864. https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.