@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details
- Severity:
- Medium
Description
Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in), and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown’s output.
Recommendation
Update the @dependencytrack/frontend package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.6.1
- Patched version(s): 4.6.1
References
Related Issues
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) - CVE-2025-65944
- Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CVE-2024-35255
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection (GHSA-h4j5-c7cj-74xg) - CVE-2020-28502
- Tags:
- npm
- @dependencytrack/frontend
Anything's wrong? Let us know Last updated on January 30, 2023