CVE-2025-64758

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be
https://github.com/DependencyTrack/frontend/pull/1378
https://github.com/DependencyTrack/frontend/pull/986
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5

Configurations

No configuration.

History

17 Nov 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-17 18:15

Updated : 2025-11-18 14:06

NVD link : CVE-2025-64758

Mitre link : CVE-2025-64758

CVE.ORG link : CVE-2025-64758

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10