Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
@dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message
Vulnerability Description
@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Dependency-Track Front-End 跨站脚本漏洞
Vulnerability Description
Dependency-Track Front-End是Dependency-Track开源的一个用于依赖跟踪的前端UI。 Dependency-Track Front-End 4.12.0版本至4.13.6之前版本存在跨站脚本漏洞,该漏洞源于HTML清理不当,可能导致任意JavaScript执行。
CVSS Information
N/A
Vulnerability Type
N/A