@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

Severity:: Medium

Description

Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in), and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown’s output.

Recommendation

Update the @dependencytrack/frontend package to the latest compatible version. Followings are version details:

Affected version(s): < 4.6.1
Patched version(s): 4.6.1

References

GHSA-c33w-pm52-mqvf
docs.dependencytrack.org
CVE-2022-39350
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
Joplin Desktop App vulnerable to Cross-site Scripting - CVE-2022-45598
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:: npm; @dependencytrack/frontend

Anything's wrong? Let us know Last updated on January 30, 2023