Dependency-Track, an open source Component Analysis platform, is commonly used by organizations to identify and reduce risks within their software supply chain. The frontend of Dependency-Track, known as @dependencytrack/frontend, is a Single Page Application (SPA) that is vulnerable to XSS attacks.
Actors with the VULNERABILITY_MANAGEMENT permission can exploit this vulnerability by creating or editing a custom vulnerability containing XSS payloads in the following fields: Description, Details, Recommendation, or References. The payload is then executed for users with the VIEW_PORTFOLIO permission when they visit the modified vulnerability's page.
Developers have patched the issue in version 4.6.1 of the Dependency-Track frontend. Users are advised to update to 4.6.1 to mitigate potential XSS attacks.
For additional information about Dependency-Track and the vulnerable frontend library, refer to the following resources:
- Dependency-Track: https://dependencytrack.org/
- Dependency-Track Frontend: https://github.com/DependencyTrack/frontend/
Here's a code snippet demonstrating how an XSS payload could be crafted
Stay vigilant and keep your software up-to-date to minimize the potential impact of such vulnerabilities.
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:24:00 UTC