@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
- Severity:
- Medium
Description
Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a “welcome message”, which is HTML that is to be rendered on the login page for branding purposes.
When rendering the welcome message, Dependency-Track versions before 4.13.
Recommendation
Update the @dependencytrack/frontend package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.12.0, < 4.13.6
- Patched version(s): 4.13.6
References
Related Issues
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134
- Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
- Tags:
- npm
- @dependencytrack/frontend
Anything's wrong? Let us know Last updated on November 17, 2025