{"id":"CVE-2025-64758","summary":"@dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message","details":"@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a \"welcome message\", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.","aliases":["GHSA-7xvh-c266-cfr5"],"modified":"2026-04-02T13:01:05.623887Z","published":"2025-11-17T17:24:27.491Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64758.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64758.json"},{"type":"ADVISORY","url":"https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64758"},{"type":"FIX","url":"https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be"},{"type":"FIX","url":"https://github.com/DependencyTrack/frontend/pull/1378"},{"type":"FIX","url":"https://github.com/DependencyTrack/frontend/pull/986"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/DependencyTrack/frontend","events":[{"introduced":"0"},{"fixed":"74eee4a5153fd597c077f92ebdac03b8d195fd22"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.13.6"}]}},{"type":"GIT","repo":"https://github.com/dependencytrack/frontend","events":[{"introduced":"0"},{"fixed":"8fd757be612eaf4f35eadbe4c334204d7bd711be"}]}],"versions":["1.0.0","1.0.0-rc.1","1.1.0","1.2.0","4.10.0","4.11.0","4.11.1","4.11.2","4.11.3","4.11.4","4.11.5","4.11.6","4.11.7","4.12.0","4.12.1","4.12.2","4.12.3","4.12.4","4.12.5","4.12.6","4.12.7","4.13.0","4.13.1","4.13.2","4.13.3","4.13.4","4.13.5","4.13.6","4.14.0","4.2.0","4.3.0","4.3.1","4.4.0","4.5.0","4.5.1","4.6.0","4.6.1","4.7.0","4.7.1","4.8.0","4.8.1","4.9.0","4.9.1","v1.0.0-rc.1","v1.1.0","v1.2.0","v4.2.0","v4.5.0","v4.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64758.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}