Description

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.

INFO

Published Date :

2025-11-17T17:24:27.491Z

Last Modified :

2025-11-17T21:05:16.691Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64758 vulnerability.

Vendors Products
Owasp
  • Dependency-track Frontend
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64758.

URL Resource
https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be cve-icon cve-icon
https://github.com/DependencyTrack/frontend/pull/1378 cve-icon cve-icon
https://github.com/DependencyTrack/frontend/pull/986 cve-icon cve-icon
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact